search

BookStackApp / BookStack

A platform to create documentation/wiki content built with PHP & Laravel
https://www.bookstackapp.com/
MIT License
14.37k stars 1.82k forks source link

"419 Page Expired" When user inactive in login page then try to login and configured Single Sign On mode #4982

Open nurradityam opened 2 months ago

nurradityam commented 2 months ago

Describe the Bug

I just noticed the login page when configured with Single Sign On did not automatically refreshed, so if a user logged out or inactive in login page for a long time then try login, it show 419 Page Expired error, the current workaround was refreshing the page

Steps to Reproduce

  1. bookstack configured to SSO mode
  2. go to bookstack login page and let the page inactive for few hours
  3. try to login
  4. it show 419 Page Expired

Expected Behaviour

after click login it should redirected to SSO login page

Screenshots or Additional Context

No response

Browser Details

No response

Exact BookStack Version

v24.02.2

ssddanbrown commented 2 months ago

Hi @nurradityam, This is by design really and applies to all forms within BookStack.

mswinehart commented 2 months ago

@ssddanbrown Can you clarify how CSRF tokens are reissued on session timeout, creation & end?

For example—say there are two tabs of bookstack open at the login page. A user can use one page to log into the app, do their thing and then close that tab. Come back in a few minutes to the previously open login tab, attempt a login and they'll receive a 419. Is there any keep-alive support for bookstack-issued CSRF tokens?