Blank page with "Invalid csrf token."

[DuckDuckWhale]

• Gitea version (or commit ref): 1.13.0
• Git version: 2.25.1
• Operating system: Ubuntu Server 20.04
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Haven't tried
• Log gist: N/A

Description

When clicking buttons or adding comments in issues I often see a blank page saying Invalid csrf token., which I had to work around using a refresh and a re-click, which has problems such as losing text already typed up in the comments. This could be related to me using a lot of tabs.

Issues that this might be related to are:

• Invalid csrf token #4311: seems very similar, but locked so no discussion can be continued. Don't quite understand how it is closed as [Feature] detect and "logout" on old csrf token #11182 doesn't seem to be solution to this page appearing and proposes to log out instead (why though and how does it make things better?).
• Replace CRSF token with SameSite=strict #11188: proposes switching to SameSite=strict cookies instead, which seem to be able to fix this issue. Still filling this issue since this is not what a user might expect so should be better categorized as a bug than a proposal. Also, fixing this issue doesn't directly necessitate using Replace CRSF token with SameSite=strict #11188 and other fixes might be possible.

[lunny]

csrf token has an expired time. Most time it occurred because stay in an input page too long.

[lunny]

The CSRF token expired time should larger than session expired time. Then if you click the submit button, you will be redirected to a Gitea login page but not returned invalid csrf token.

[DuckDuckWhale]

That's strange... After how long does it expire? I have just encountered it again when I opened a lot of Gitea tabs and waited for only about an hour.

[lunny]

That's wired. CSRF expired time is one day.

[DuckDuckWhale]

Encountered this again (400 Bad Request with Invalid csrf token but when saving a comment, in which case after the refresh the typed up comment disappeared so it might lead to small scale data loss which is bad), I think this page lived less than a day as well.

[somera]

That's wired. CSRF expired time is one day.

Is this a new feature in 1.13.x? I didn't get it before 1.13.x.

And if it expired, why the browsing is working? I get the error only when I start import new mirror:

[lakostin]

Have the same problem.

[zeripath]

CSRF is only checked on POST so GETs will not affect it.

[lafriks]

Could it be related to token strict attribute?

[kevung]

I encounter the same problem, on version 1.13.0+rc1. I have only one Gitea tab open and the "Invalid csrf token" page appears imediately after I try to comment and review a Pull request. (for me, no need to wait an expire time to see the problem)

[JulianOrteil]

Encountering the same scenario as @kevung as well on 1.13.6 for Windows. What do you guys need from us since @CL-Jeremy says you need more information in the linked PR?

[kevung]

Hello everybody,
I migrated today to Gitea 1.14.0+rc2, and I could not reproduce the problem :) I could smoothly review pull requests. It seems to have been fixed somehow. Perhaps, it is wise to confirmation from other people using 1.14 before resolving this issue.
Thanks to the Gitea team for the amazing work.

[lunny]

v1.14 changed web framework from macaron to chi and modified the old csrf middleware. But I cannot ensure we fixed that.