https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 Bug ID: 37741 Summary: Koha errors on page (e.g. 404) cause incorrect CSRF errors Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: critical Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au QA Contact: testopia@bugs.koha-community.org To reproduce: 1. Set syspref IntranetFavicon to http://localhost:8081/cgi-bin/koha/bad.jpg 2. Open browser developer tools 3. Go to http://localhost:8081/cgi-bin/koha/mainpage.pl 4. Open the Network tab, disable the cache, and shift refresh 5. Notice that bad.jpg fails to load with a 404 6. Try to login to Koha 7. Confirm 403 error 8. If you look at the cookies sent/received by mainpage.pl on the first load, the bad.jpg load, and the second mainpage.pl load, you'll see that first mainpage.pl returns a cookie, which is used by bad.jpg, which returns a new cookie, which is used by the second mainpage.pl However, the CSRF token submitted with the second mainpage.pl is tied to the cookie from the first mainpage.pl load! It'll never work! The solution is to stop 404.pl from returning a 404.pl cookie. After all, 404.pl shouldn't be creating/updating a cookie. It's just supposed to return a pretty 404 document. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.