-
-
Notifications
You must be signed in to change notification settings - Fork 305
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
After a successful login if I go back in browser I get CSRF detected error #95
Comments
I'm also running into this problem in my project. There's also an old issue #58 that I think is related to this one. Let me explain my thinking. BackgroundLet's illustrate the general flow with an example of an app offering Facebook sign in:
Notice that Root CauseThe fact that
SolutionThe issue could be solved by not removing the state from the session. It should also keep a list of all known states in order to support multiple sign ins (e.g. using multiple providers). The downside is we'll need a way to clean up old states. This could be handled in A related idea is that the library user should be able to decide how to store states. For example, in my Rails app I'd be able to do something like (ignore the pros and cons of this implementation; that's not the point): class CookieStore
def add(state)
cookies.signed[state] = { value: 'accept', expires: 15.minutes.from_now }
end
def has?(state)
cookies[state]
end
end SummaryThe issue could be solved (and the gems capabilities expanded) with the following:
If you think this is a good plan then I'm happy to submit a PR this week. |
It seems like we're having this issue as well. I'm wondering if we could just not try to log them in w/o a state if they are already logged in? When they hit back, the site knows that they are already logged in, so it seems like there is nothing left to do. If they don't have a state set we can assume it's a back button and just keep them logged in. We could throw an error if the email was different or something or maybe log a warning. Is there a newer version of the gem that solves this issue? |
I've build an OAuth2 provider using the doorkeeper engine with devise. On my client app I'm using a custom omniauth-oauth2 -v 1.3.1 strategy. Everything works well, but after I sign in if I hit the back button on the browser I get
I dug into the omniauth-oath2 code and it appears that there are two methods that I think are closely related to this problem, one that creates the session["omniauth.state"] from the url params:
and one that checks this and deletes this from the session on the callback process:
It appears that somehow the first method is not called on going back from the browser. Does someone had the same problem and is there a solution to this problem without setting the
:provider_ignores_state
totrue
. Do I need to set something on the provider, I really don't get it, plus I can't seem to find this problem anywhere on the web and I highly doubt it I'm the first one that recognizes it, but I may be the first one that can't find a reasonable solution without affecting security.The text was updated successfully, but these errors were encountered: