POST forms and back buttons don't mix

Description

Since we got the CSRF protection recently, I'm getting lots of reports of "errors" which are actually the CSRF doing exactly what it should. An example is from a tweet that Chris pointed out to me:

"‪#joindin‬ throwing lots of "Request was invalid. Tokens did not match." messages today an yesterday. Anyone else having problems? ‪#lsp12‬"

Things that make this seem like a problem:

  • forms are POST for no clear reason. They should be POST if they do potentially harmful stuff like change data, or GET if they are safe (the search box is a great example, this should be GET)

  • we only support one CSRF token being stored at a time - so as soon as you have two windows open in joind.in, only the one that you loaded most recently will work.

Comments, patches and other wisdom all gratefully received

Assignee

Unassigned

Reporter

Lorna Mitchell

Labels

Priority

Critical
Configure