Solved: [BAD CSRF] on attempted login - issue with Lastpass and Discourse

(Marcus Baw) #1

(This is not really a bug with Discourse itself, it’s just an oddity of the interaction between LastPass and Discourse. Hence if it’s felt that this post should be in a different section of Meta, please feel free to tell me and I’ll move it.)

For some months now I’ve had an intermittent issue with logging into some of my Discourse instances using LastPass. On trying to log in via the normal GUI login dialog I would occasionally get an error/exception response [‘BAD CSRF’], which didn’t necessarily happen every time, and didn’t happen with all users (I usually have several user accounts for each of my instances and can test with various accounts). The problem has persisted over several versions of Discourse and didn’t seem to suddenly ‘appear’ after an update.

On logging into Discourse, with LastPass filling in my credentials and AutoLogin enabled, I would get this error persistently:

I think that this is being caused by the AutoLogin feature of LastPass - this feature fills in the login credentials in the login dialog, and automatically ‘clicks’ the Log In button. It’s intended function is to make logging into sites more-or-less a ‘one-click’ operation.

I know next to nothing about CSRF except what I’ve just been googling about it - but possibly the absence of a delay between LastPass entering the credentials and clicking the ‘Log In’ button might be triggering the CSRF prevention mechanism in Rails? Somehow the CSRF prevention token is not getting sent to the server. Or maybe the absence of any delay makes Rails flag this as a possible automated login attempt (eg a login CSRF attack mediated via a malicious link). I dunno.

Solution: If the AutoLogin feature is disabled, LastPass will fill in the credentials but doesn’t automatically ‘click’ the Log In button. You click it manually, and login proceeds as normal. To disable the feature, edit the site in your LastPass vault, and ensure that the AutoLogin flag is unchecked / unticked.

I thought I’d share this observation here in case anyone else in the community is having a similar problem, as there was nothing already that I could find on Meta (or anywhere else) relating to [‘BAD CSRF’]s on login using the GUI. (All I could find was [‘BAD CSRF’] issues when using the API.)