Anyone else with CSRF issues in 4.0? Seems to be a very small number of Chrome users
Redman, Chad
chad_redman at unc.edu
Wed Jun 24 18:21:47 UTC 2020
We recently upgraded from 3.4.6 to 4.0.0, leaving the CSRF enabled. This seems to be working fine for the vast majority (99.5+%) of users. Most of the 0.5% failures are either screen scrapers or multiple form requests - maybe double clicking or an SP triggering multiple requests.
For a small number of users (2 tickets so far), access logs just shows a normal Chrome browser accessing the form and then submitting it, but still failing. Either running in incognito mode or resetting Chrome to the default settings have been reported to fix the issue. One of the users mentioned deleting saved passwords, and we are pursuing that clue further. That's as far as we have uncovered so far.
Anyone else seeing similar issues?
Thanks,
Chad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200624/fa690c75/attachment.htm>
More information about the users
mailing list