STR: 1) Open *two* tabs with the Socorro front page. 2) Sign in via Persona via the button on one of them. Expected Results: Active tab logs in. Ideally, background tab reloads and is also logged in. Actual results: Background tab reloads and is logged in. Active tab displays a 403 Forbidden page with the message "CSRF verification failed. Request aborted." If you have only one tab open, everything is fine. Also, on closing the 403 tab, working with the existing one and/or opening an additional one works fine with being logged in.
fwiw I'm this behavior exists on other Mozilla sites that use Persona - Mozillians, air.mozilla.
For the record, it happens if you have multiple tabs open. It will be genuinely fixed once Persona is rewritten under something called the "goldilock project" (I think) which will make it not have state. There is no current solution in django-browserid where we're basically just hoping this known problem will disappear by goldilock coming out soon. I'm going to attempt a temporary solution specifically for crash-stats.
Status: NEW → ASSIGNED
Mainly a note-to-self, if we use the new django-browserid that uses AJAX to submit the assertions it will solve our problems. However, the >0.9 version isn't released yet and when I tried master it unfortunately forces you to have your BROWSERID_AUDIENCES set up even when doing local development with DEBUG=True. I filed https://github.com/mozilla/django-browserid/issues/222
Commit pushed to master at https://github.com/mozilla/socorro https://github.com/mozilla/socorro/commit/03db93df3231a9bc771dee3188d0c197016a5a14 fixes bug 941358 - 403 when logging in while having a second tab open, r=AdrianGaudebert
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.