Multi tab login issue: the request was rejected to protect you from Cross-Site-Request-Forgery

[LeonidChistov]

Hello.

We have an application built on top of Kratos SPA flows.

When a non-logged in user opens application, we request new login flow from Kratos and show user the login form.

If two application browser tabs are opened (in the same browser) for a non-logged in user, and then we login and logout in the first tab, and after that, try to login in the second tab, CSRF protection error occurs:

{"error":{"id":"security_csrf_violation","code":403,"status":"Forbidden","reason":"The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues.","details":{"docs":"https://www.ory.sh/kratos/docs/debug/csrf","hint":"The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token).","reject_reason":"The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow."},"message":"the request was rejected to protect you from Cross-Site-Request-Forgery"}}

It can be suspected that flow and/or CSRF token associated with the second tab is invalidated after logout from the first tab.

Is this an expected behavior?

Probably in case of SPA flows we shall better request login flow and send login credentials in the same time - after user enters login/password to the form (and avoid requesting login flow in advance to avoid invalidation)?

[aeneasr]

Using multiple tabs should not be a problem unless the browser has some plugin installed for tab isolation (eg FireFox containers) or is in incognito mode!

[LeonidChistov]

@aeneasr

I continue to have trouble with this case. Let me try to describe my hypothesis about what happens and I appreciate if you tell me if it does make any sense or not.

• User opens first tab and gets CSRF cookie and gets new login flow with id 1234 and CSRF token to send in payload body
• User opens second tab (cookies are not affected) and gets new login flow with id 5678 and new CSRF token to send in payload body
• User logins and logouts in the first tab, CSRF cookie is changed (twice)
• User tries to login in the second tab, but he uses CSRF token which was issued against old CSRF cookie and does not match new CSRF cookie, so he gets CSRF protection error.

[aeneasr]

I see, this is intended behavior. On logout, the so-called "principal" changes, meaning the user in front of the system. So we need to update the CSRF token. If the user loaded the login form before doing the logout, the request will fail and the user has to redo the flow. There's unfortunately no solution to this, but it should be an edge case!

[LeonidChistov]

Thanks! But do I understand correctly that this problem won't be present if we will delay requesting login flow and CSRF token until user enters login and password to the form?
I mean that with such change we will never have a stalled CSRF token in our hands.

[aeneasr]

Thanks! But do I understand correctly that this problem won't be present if we will delay requesting login flow and CSRF token until user enters login and password to the form?

I believe that to be correct. The expected CSRF token is set when you call the init endpoint. When you call that init endpoint is pretty much up to you and it could be part of the submit action.

For more info, see here: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#login-csrf