CSRF Protection Problem

[fishbaugher]

The CSRF protection incorrectly locks out the user at inopportune time causing data loss and extra effort. This is intermittent but persistent almost guaranteed to show up in longer work sessions.

The only solution is to completely log out and back in which reduces the credibility of WAweb each time it happens.

[fishbaugher]

I am going to create a list here of occurrence of this error. Please add your data to this comment, just edit/add this comment: Date/User/Approximate use time before error

1) 3/12/24 MJF 2hrs 2) 3/12/24 MJF 2 hrs (question, what is the no-activity timeout setting for the UI?)

[fishbaugher]

Very annoying and reduces confidence in the app in general and potentially involves data loss if trapped on a dirty form.

[eckmanwe]

Common security feature required for secure sites hosted by ORNL.

frequent CSRF likely indicates unstable connection.

[fishbaugher]

I guess time will tell how frequently users encounter this problem. Currently, as I actively use the website for data entry, it kicks me out about every two hours. I have seen this result across multiple networks over time, so I am not convinced it is a network stability problem. Rather I suspect there is something going on with the caching of CSRF security tokens (based on a little reading on Redit and StackOverflow). In short, other people have reported issues with intermittent CSRF disconnects.

Hopefully, the issue does not do too much damage to the v10 UI credibility.

One useful workaround is to make good use of the password storage facility built into most browsers, so when the problem rears its head, you can press Yes, and re-logon without having to manually enter username and password each time.

[bgoldenMN]

I have moved this up to Priority High as it became clear that it was a significant issue during in-person WAweb training last week. Nearly every user experienced this multiple times during the training and was forced to log-out and back in, losing their most recent work.

It does not appear to be related to the stability of the connection. This error has occurred frequently for state staff on their private connections, and also occurred frequently at recent trainings, which were conducted in two different college computer labs with high-speed, wired internet connections.

Logging back in is a workaround, but I second Mark's concern about this interfering with the user experience. We saw the frustration happen in real-time as folks lost the form they had be working on.

Additionally, this exacerbates Issue #100, as users may be dropped into a different audit upon log-in if someone else in their agency had more recently edited a separate audit.

[eckmanwe]

Please note that internal LAN is not the concern. CSRF trigger from network instability is at the internet connection.

[bgoldenMN]

Noted. Since this error seems to occur on a wide variety of different internet connections and seems to frequently occur for most users, I question whether the error can be reliably fixed by changes to one's individual internet connection. If it can be, we would be interested in what combination of internet settings or providers is recommended to reliably fix or reduce the problem.