Can't verify CSRF token authenticity


(Pirat) #1

I constantly see this in the logs:

Can't verify CSRF token authenticity

What does it mean?


Log error: "Can't verify CSRF token authenticity"
(Michael Downey) #2

Did you search this site? Is this related?

https://meta.discourse.org/t/after-update-to-0-9-5-2-cant-log-in-getting-an-unknown-error/8784?u=downey&source_topic_id=25568

(Pirat) #3

I do not think that my error associated with this
maybe I need to update something in the console, but I do not know


(Kane York) #4

What does the env tab have?


(Dean Taylor) #5

This happens very frequently for me - perhaps 30 occurrences over the past 4 days…
… it has pretty much always occurred.

Checking the past 4 days - it seems it only occurs for mobile browsers, here are sample user agent strings:

  • Mozilla/5.0 (Linux; Android 4.4.2; SM-N9005 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.109 Mobile Safari/537.36
  • Mozilla/5.0 (Linux; Android 5.0; en-gb; SAMSUNG SM-G900F/G900FXXU1BNL9 Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Version/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
  • Mozilla/5.0 (Mobile; Windows Phone 8.1; Android 4.0; ARM; Trident/7.0; Touch; rv:11.0; IEMobile/11.0; NOKIA; Lumia 620; Vodafone) like iPhone OS 7_0_3 Mac OS X AppleWebKit/537 (KHTML, like Gecko) Mobile Safari/537
  • Mozilla/5.0 (Linux; Android 4.4.4; C6903 Build/14.4.A.0.157) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.109 Mobile Safari/537.36
  • Mozilla/5.0 (Linux; Android 4.4.4; A0001 Build/KTU84Q) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.109 Mobile Safari/537.36

Env always includes the following:

REQUEST_URI: /topics/timings
REQUEST_METHOD: POST

params:
  timings: null
  topic_time: {some number}
  topic_id: {another number}

Log error: "Can't verify CSRF token authenticity"
(Kane York) #6

/topics/timings on the client doesn’t have the best error handling in the world, and it can only hold timings for one topic at a time. It could probably do with some stability love.


(Pirat) #7

so any ideas how to fix?


(Sam Saffron) #8

Its not causing any issues, our client code just needs to be a bit smarter.


(Pirat) #9

I can not understand, select 1 or 2

  1. the error
  2. This is not a bug

(Jeff Atwood) #10

None of the above… it is extra verbose information that you don’t need to care about. It can be ignored.

It means the user’s browser did something we did not quite expect, which happens when you have thousands of web browsers, on thousands of devices, on mobile networks that may be unreliable, etc.


(Pirat) #11

kind of figured
So when this error does not work properly browser on the site?
Thank U


(Sam Saffron) #12

Probably could happen if user has 2 browser windows opened on topic and logs out of one browser. We handle this case quite cleanly, feel free to check it out. But that error may pop up in console.


(Dean Taylor) #13

My thoughts are that this might be:

  1. users leaving their browser open on their mobile / tablet device
  2. switching away from the browser (answering calls / screen switching off due to user inactivity),
  3. the user later opening the browser / screen switching back on.
  4. the browser / javascript then activating and timing requests then submitted back to the server

These timing requests use an invalid CSRF token due to the users duration of the inactivity.


Log error: "Can't verify CSRF token authenticity"
(Kane York) #14

I moved a post to a new topic: CSRF error on mobiquo.php