I'm getting complaints from a user who is constantly getting a CSRF 403 error when he tries to login to my site (using django.contrib.auth.views.login).
I don't get this error myself, and have no other users complaining of the issue. Any idea what it could be? How should I go about debugging this?
Is there a way to log detailed information about CSRF failures so I can try to inspect the user's state when they login. I don't want to turn DEBUG=True for an external user...
Based on your reply to my comment, I am not sure what is causing this issue. I would use CSRF_FAILURE_VIEW to implement a custom view that would give you more information about what is happening.
I recently ran into that and it turned out to be a cookie problem, as in the end user had them disabled.
Related
I've got a rather odd problem. I've got probably 100s of ajax calls back to my backend. They all work except for one. For some reason, on one page that doesn't require that the user be logged in to access (but can be logged in when they access the page), the ajax query fails due to missing CSRF token. When I clear history/cookies in Chrome, the ajax call is successful.
Any thoughts on what could be causing this?
Thanks!
I am using omniauth-saml 1.3.1 with omniauth 1.2.2 in rails 4.2. It works well with my test identity provider set up at openidp.feide.no (a nifty tool for those setting up a SAML service provider). It even works in production.
Now I am trying to get an IdP set up with a client of mine. When the user visits /auth/saml, they are directed to the client's IdP as expected. The user is able to use their email/pw to login.
The IdP then responds to my SP, but omniauth is redirecting to the failure callback.
As seen here, I get an error message "invalid_ticket". However, the error itself isn't getting passed to my failure controller action in env["omniauth.error"], as I read it should somewhere (unfortunately I can't find that documentation right now).
I'm hoping somebody will have some advice as to how I can figure out what is causing the "invalid_ticket" to happen. Is there perhaps a way to see the raw SAML response from the IdP?
I should note that I need to find this information in production because the client's IdP points to our production SP and I can't convince them to point it somewhere I can do some more extensive testing (like my localhost dev machine). I can, however, write in some more logging or Honeybadger exception reporting if that will help.
Currently, I am reporting to Honeybadger all env["omniauth.*"] values and params when omniauth redirects to the failure route, but I am not getting any information further than Omniauth message: invalid_ticket.
A big thank you to anyone who can help me go in the right direction here!
You might want to try adding other environments to failure_raise_out_environments:
OmniAuth.config.failure_raise_out_environments = ['development', 'staging', 'production']
to your initializer. You will get meaningful error messages in your log or Honeybadger.
These errors are by default raised only in development environment.
Clould9's Django out of the box gives CSRF error when I attempt to login to the admin page.
Reason given is:
- Forbidden (403)
- CSRF verification failed. Request aborted.
- Referer checking failed - https://mysite.c9.io/admin/login/?next=/admin/ does
not match https://mysite.c9.io:443/
No changes were made to the instance, other than creating a superuser.
Commenting out setting.py MIDDLEWARE_CLASSES 'django.middleware.csrf.CsrfViewMiddleware' did not fix the issue.
Current workaround is through setattr(request, '_dont_enforce_csrf_checks', True), found here:
Django CSRF framework cannot be disabled and is breaking my site
The problem seems to be the way Cloud9 treats HTTPS on port 443. Is there a way to fix this without disabling CSRF for the whole site? I also seem to be sandboxed out of django-admin.py, so I can't limit the hack to just the admin page.
I have opened a ticket for this issue with the cloud9 support #eff M. They are great guys out there and great IDE as well with great support.
Meanwhile try this workaround for the time being:
access your admin page with http://mysite.c9.io/admin/login/?next=/admin/ and not with https://mysite.c9.io/admin/login/?next=/admin/ and see if you can login. it worked well on my side.
I have setup a website in django and added csrf middleware. I could see CSRF failures frequently from the website. Currently I display a 500 error page when CSRF failure occurs.
However, I am thinking of loading the same URL as a GET request whenever a CSRF failure occurs, and ask the user to resubmit the form again. Is this method advisable? What will be the security issues that will arise due to this? Any thoughts on this will be helpful.
As any attacker will not have access to the response due to the Same Origin Policy, you may return whatever you like including a 200 OK with a description to help the user.
If you wanted you could include a 500 INTERNAL SERVER ERROR response, but you could also include some HTML content to advise the user that they should resubmit the form.
Currently I have my production environment set up so that MANAGERS are emailed any time there's a 500 error. I would also like to be emailed anytime someone tries to access something they don't have permission to (i.e., they produce a 403 error).
As far as I can see, you can easily get Django to email you when someone produces a 404 (https://docs.djangoproject.com/en/dev/howto/error-reporting/#errors), but there's nothing like this for a 403.
What's the best way to get Django to send emails when someone produces a 403?