Skip to content

GitLab

Closed
Created by Administrator@rootOwner

Problems when commenting, probably because of CSRF protection

Created by: enumag

Lately me and my team have a problem when commenting on issue. Very often the comment is not saved and what's more when pressing F5 I get redirected to the login page. Even though I logged in just a few minutes ago and even checked the "Remember me" checkbox.

Today I've deleted all log files, waited for the issue to appear an then finally found something useful in the production.log:

Started POST "/<GROUP>/<PROJECT>/notes" for <MY_IP_ADDRESS> at 2014-03-13 19:47:32 +0100
Processing by Projects::NotesController#create as JSON
  Parameters: {"utf8"=>"✓",
"authenticity_token"=>"9uC1s4NV14JXg5injasBm7cKjJDcxEv2/H+RKnbqiRM=",
"target_type"=>"",
"target_id"=>"",
"note"=>{"commit_id"=>"", "noteable_id"=>"215", "noteable_type"=>"Issue", "note"=>"TEXT OF THE COMMENT THAT I WAS TRYING TO SEND"}, "commit"=>"Add Comment", "project_id"=>"<GROUP>/<PROJECT>"}
Can't verify CSRF token authenticity
Completed 401 Unauthorized in 61ms

EDIT: I've formatted the "Parameters" in output above to more lines for readability.

The part that is important in my opinion is the line Can't verify CSRF token authenticity. It is true that the issue always happened when I was on the issue page but was inactive for a few minutes because of reading previous comments, opening attachements and checking various related material. So it's possible that the CSRF token expired in the meantime. I think that the time limit is too short but that can probably be set in a config somewhere.

Steps to reproduce: Open an issue page, wait until CSRF token expires and send a comment.

Expected behavior: Some error message that CSRF token expired and an opportunity to send the comment again (without having to write it again from scratch!). And of course no logging out.

Observed behavior: No error message at all and what's more I get logged out automatically. And the text of my comment is lost entirely of course.

Worst case of all is writing a long comment when the writing takes longer than the CSRF expiration. Then I get very pissed that I have to write the long comment again and don't even know what happened.

As for the output of checks, see #6443 (closed) which I reported earlier. The outputs are the same.