Closed Bug 919472 Opened 12 years ago Closed 11 years ago

CSRF protection and persona

Categories

(Participation Infrastructure :: Phonebook, defect)

Product:
Participation Infrastructure
Component:
Phonebook
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: alexis+bugs, Unassigned)

References

(
URL
)

Details

(Whiteboard: [kb=1129325] [qa-])

Attachments

(1 file)

403
9.23 KB, image/png
Details
Just after logging-in via persona, with an alias (mine is alexis@mozilla.com) address, I'm getting a "403 Forbidden" page without much explanation. I suppose this is because the LDAP lookup failed (you cannot use aliases there), but the result is misleading: we should at least show up a nice error message saying that the authentication didn't worked. (I'm able to login with my regular ldap username by doing the normal persona authentication flow otherwise)
Thanks for filing this bug report Alexis. Mozillians has nothing to do with LDAP, so logging in with an alias should work just fine, as soon as this goes through Persona. Can you please give me a screenshot of the error you're getting?
Assignee: nobody → giorgos
Status: NEW → ASSIGNED
Attached image 403
This is a "generic" 403 django error.
This is a CSRF form error and should have nothing to do with aliases. Maybe you have two mozillians.org tabs open and Persona is submitting both on login? In this case one will fail.
It seems to be the problem, yes. When I have two tabs open on mozillians.org, and I'm using the second one to do the authentication flow, then I'm getting a 403 CSRF form error, but I'm authenticated on the first tab. I suppose this is not the intended behavior, or at least this is really not straightforward, as a user.
Summary: Mozillians show a 403 Forbidden after loggin-in. → Mozillians show a 403 Forbidden after loggin-in when having more than one tab open.
OK. This is due to Persona trying auto-logging you in. I'm not sure if we can do much on our end about this, but I'll leave this bug open as a reminder to talk with Persona devs about it.
Assignee: giorgos → nobody
Status: ASSIGNED → NEW
ccing lloyd for more input here. I'm not sure if they're actually using bugzilla or github to track issues.
Re bugzilla vs. github - we use whatever bug system we need to get things done. Down with dogma! I was able to successfully reproduce this issue: 1. open two tabs to mozillians 2. log in in one 3. notice the second fails with a CSRF failure In 15 minutes of thinking about it, I can't uncover that graceful and elegant tweak that would make this problem go away. I don't know the details of your CSRF protection, how it's implemented and what the restrictions are. Some thoughts: 1. A valid assertion is probably stronger than CSRF protection - could you relax CSRF protection on this route without net security impact? 2. Could you fetch a fresh csrf token and then auth when onlogin fires? 3. upon CSRF failure on login can you check the user's logged in state before displaying an error? I'll touch base with some of the folks in the persona team and see if there's a more satisfying answer. Can anyone on this bug think of something we could change that would help you?
:alexis, have you checked out :wbamberg's doc on CSRF protection and Persona? https://github.com/wbamberg/persona-mdn/blob/master/csrf-problems.md
:wbamberg docs are really helpful. Thanks for sharing that Shane!
Summary: Mozillians show a 403 Forbidden after loggin-in when having more than one tab open. → CSRF protection and persona
Thanks Giorgos. The home for these docs is here: https://developer.mozilla.org/en-US/Persona/The_implementor_s_guide in case there's anything you'd like to add.
It would be great to fix this before summit!
Is this a blocker for the summit?
Seems like the summit would be the peak traffic period for mozillians.org. If we can fix, we would reduce a lot of user frustration. My feeling is yes, it's a blocker. If you point us to source, maybe someone on Persona can offer a pull request.
Source code is here https://github.com/mozilla/mozillians and we always welcome pull requests! :)
Whiteboard: [kb=1129325]
This will be fixed by upgrading to django-browserid v0.10 which doesn't autologin and fetches CSRF tokens using AJAX.
Depends on: 1000908
Just reproduced this issue in production : Browsed to http://mozillians.org/ The site displayed showing my user page (and my image), and then after about 1 second, the page refreshed and logged me out. I clicked "Sign In" which launched the Persona popup. I signed in with my @mozilla.com email address, putting in my LDAP password into the MozIDP interface. Persona swiped across indicating sign in and the popup closed. The original mozillians page was then taken to https://mozillians.org/browserid/login/ and this error was displayed Forbidden (403) CSRF verification failed. Request aborted. More information is available with DEBUG=True. http://i.imgur.com/Ik7CBfE.png I browsed a second time to https://mozillians.org/ and I am logged in
Django-browserid v0.10 (bug 1000908) uses ajax to fetch fresh csrf token and doesn't autologin anymore. This is now fixed.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Bumping to verified as [qa-]
Whiteboard: [kb=1129325] → [kb=1129325] [qa-]
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: