Item9635: Registration triggers CSRF warning message when password too short
Priority: Normal
Current State: No Action Required
Released In: n/a
Target Release: n/a
Applies To: Engine
Component:
Branches:
Registration triggers CSRF warning message when password too short
Register a new user
Use a password shorter than the minimum. Default is 7 chars. Try with 6.
Fail.
Then try a 7 or 8 char password.
Note that the CSRF protection pops up. For a newbie user this is very confusing.
--
KennethLavrsen - 07 Sep 2010
User experience could greatly be enhanced with immediate form feedback. There is probably a jquery plugin for that.
Although we need to fix the CSRF flow, with form validation many users would never visit an oops page anymore.
--
ArthurClemens - 07 Sep 2010
I will lower this to normal
-- Main.Kennethlavrsen - 11 Sep 2010
The more I see these issues with CSRF warnings the more I think we would have an OK security level and a much better UI experience by shipping {Validation}{ExpireKeyOnUse} = 0.
We leave plenty of unexpired keys behind when we look at topics with forms and do not submit. Only additional security loss is that you can evesdrop on a client/server communication and reuse an unexpired key. But that is not the likely scenario. I do not say we should remove the feature but perhaps SHIP with this setting off but still with strikeone enabled. It also solves many other normal use cases and I personally run with this off because the back button is a daily used browser feature and the users hate to see the CSRF screen.
I will argue that the {Validation}{ExpireKeyOnUse} = 1 is more in-secure.
When users are exposed to the CSRF warning daily for innocent reasons they will just hammer OK the day they are victims of a real CSRF attack. When you cry "wolf" all the time the sheep stop being alert.
If we can agree on {Validation}{ExpireKeyOnUse} = 0 this issue becomes unimportant in my view.
It is a bad idea to remove CSRF strikeone from registration. This is an excellent protection against simple registration bots similar but better than the one
BlackListPlugin had (I removed it when I added CSRF protection to registration, and reset password). So please do not fix this bug by removing the CSRF/Strikeone check for registration!
--
KennethLavrsen - 07 Sep 2010
Instead of showing an oops page (with funny url: Main/WebHome), wouldn't it be possible to show the registration page itself with the error message at the top? Then noone needs to hit the back button, and no CSRF warning would be displayed.
Register.pm
would need to call a different template and the registration page would need to contain an area for error messages.
--
ArthurClemens - 08 Sep 2010
With the inline validation (javascript enabled) this should not happen anymore.
--
ArthurClemens - 13 Mar 2011