In certain flows in my web application I am getting csrf token invalid exception as follows:
HTTP Status 403 - Invalid CSRF Token 'ac6a93fd-6903-40f8-a5e2-00b9e830618b' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
Here CSRF token is present, it is not null, but invalid.Session did not expire.Faced similar issue as here CSRF token not found and solved the same.
But here I am stuck.
Edit:
This issue crops up when we open multiple tabs in browser and from one of the tabs we logout and from another tab try to login from login page.
Delete browser cookie and try again.
Generally token information is stored in cookie, in your case it seems old csrf token is still being used from cookie.
Related
I'm using directus to grant users access to ressources required by an SPA written in Angular. To authenticate users I created an auth service and interceptor to handle sessions and attach the "Authorization" header. Those services work fine and login as intended. But here comes the problem:
Directus session times are configured with default values (15 min validity for access_token, 7d for refresh_token) but as soon as the access_token expires I cannot retrieve a new one using the refresh token. This bugs me, because the goal is to keep users logged in for the next 7d (refresh_token lifespan) or until logout if they check this option.
My attempts at achieving this:
Since i'm using graphQL, i tried the "auth_refresh" mutation from the authentication documentation. While the access token is still valid, refreshing works fine. After the access token expired there is no way to retrieve a new one via a valid refresh token.
Alternatively I tried to achieve a refresh via the POST request specified by the docs (to double check if it was some sort of config error with graphql) but I encounter exactly the same problems as with graphQL. Directus returns either "401 unauthorized : Token expired."
if i extend the lifespan of the access token for longer than the server defined lifetime,
Response: Sending a token with prolonged life
or "401 unauthorized : Invalid user credentials." if I request a new token without an
"Authorization" header.
Response: Sending no access token
The refresh token is correctly loaded and sent to the server as specified in the docs in both
cases.
Now my questions are:
Am I missing something? I haven't found any further specification in the docs and the Auth0 protocol specifies that a new access token should be retrievable with a valid refresh token.
If this feature is not intended: How could I achieve a "keep me signed in" option with directus? I would like to keep user rights management in one place and do not really want to handle user auth redundantly for my current use case.
2b. Why is the lifespan of the refresh token so much longer than the lifespan of the access token if this isn't intended?
One of my thoughts is, that it has to do with access rights of the "public" role on the "directus_sessions" table. But I can't think of a way to grant only read rights for owned/received tokens, since there are no payload variables available inside the filters. Could this be the cause? Would there be a way to achieve this?
Thx&Greetz
Maybe a simple question.
Lets say that the user receives the bearer token and has an expire time of 1 day.
the user makes calls to the web api and then stops making calls say after 6 hours.
Then if the user makes a call to the web api does that auto refresh the token and then the user has another 24 hours to use the token or will it definatly expire based on the first get of the token.
thanks
Once issued, the token cannot be changed and will be valid until it expires. It doesn't matter how or when the token was used or even if other tokens were requested in the meantime.
Since the token cannot be changed, the expiration of the token cannot be extended. The token can however be revoked before it expires, based on other factors, if the server is configured to do so.
It may not be possible to extend the token itself, but it is possible to request a new token without having to send the credentials.
You can configure the server to add a refresh token to the token. Please note that this is not available for all grant_types. In case of a refresh token the normal token has an extra parameter 'refresh_token' that contains an additional token with its own expiration time. This token can be used once the normal token is expired. In that case a new token can be requested with this refresh token, without having to send the credentials.
I have no issue with my firebase token expiring but I'd like to programmatically know about this so I can ensure the UI responds in an appropriate way when this happens.
In this situations I notice that I get the following message:
resumeSession() was canceled: Auth token is expired.
How can an Ember SPA hook into this event?
How AntiForgeryToken gets invalidated? I have set up this token to prevent CSRF attacks on my login page and have inspected it with fiddler. When i call GET method the token generates as hidden field __RequestVerificationToken. When i post login data should this token be changed on next GET call? I catch with fiddler this value with post data and reissue/replay request and this works. Is this good behavior, or this replay should not happen because token value should not be valid after i leave that form.
Thanks in advance.
The token is tied to a session cookie; when the session goes away and the cookie disappears the token will be rendered invalid. The reason replays work in Fiddler is that Fiddler is capturing (and replaying) both the session cookie and the form token.
You could simulate session expiration by removing the request's Cookie header from within Fiddler before replaying. The server should then reject the form's __RequestVerificationToken field.
I apologize in advance for some confusion over the terminology. I get a bit confused with the whole OAUTH process.
I've noticed that I need to pass a redirect_uri to the facebook grant access token method even though I can't see how it's being used. My server is making the request and getting the response so there is no redirect going on. Plus it seems that the redirect uri in the granting access token call must be the same one used in the request access token call (I understand that it's needed in the request access token call but not in the grant access token call).
Not sure this is needed but here is the code I'm using in order to get facebook to grant the access token.
var url = String.Format(
"https://graph.facebook.com/oauth/access_token?client_id={0}&client_secret={1}&code={2}&redirect_uri={3}",
this.AppId,
this.AppSecretKey,
code,
System.Web.HttpContext.Current.Server.UrlEncode(this.CallbackUrl)
);
Yes, to help Facebook verify the request to exchange the auth code for an access token, the redirect_url must be the same for both requests.
You're right in that to get the access token, no actual redirect is performed, the access token is returned in the body of the HTTP response.