Hi,
On Wed, Jun 29, 2016 at 7:47 AM, Atanas Beloborodov <nask0(a)cod3r.net> wrote:
Hi there,
i just noticed that, after login in FAS, there is a button "I am a human"
for CSRF check.
It's all good, but clicking button makes POST request to
(
admin.fedoraproject.org/accounts/login?_csrf_token=<token>) which returns
302 Found and redirects to a same url (GET request) , which returns 403
Forbidden.
It seems that navigation "knows" that i am logged in, but content part do
not :)
See attached screenshot and log for more info, since it's early morning and
i do not provide a good explanation.
I wonder if you've seen this happen more often.
My current theory is that you were caught in between the expiry of your session,
so when it generated the page with the "I am human" button you were near the
end of your session, but it was just visible, but when you clicked it
it had just
expired.
If you see this more often, please do let me know and I can look further.