Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'REMEMBER_COOKIE_HTTPONLY' causes "The CSRF tokens do not match" on mobile Firefox #521

Open
Lvl4Sword opened this issue May 23, 2022 · 1 comment
Open

'REMEMBER_COOKIE_HTTPONLY' causes "The CSRF tokens do not match" on mobile Firefox #521

Lvl4Sword opened this issue May 23, 2022 · 1 comment
Labels
csrf

Comments

@Lvl4Sword
Copy link

Lvl4Sword commented May 23, 2022
edited
Loading

I've noticed that when enabling 'REMEMBER_COOKIE_HTTPONLY' within the config dict, it causes "The CSRF tokens do not match" in a POST request specifically for mobile Firefox. Non-mobile works just fine, as does Chromium. Those appear to also be affected.

  1. Set 'REMEMBER_COOKIE_HTTPONLY' within the config dict
  2. Go to a page that has a CSRF token and do a post request
  3. It fails with a "The CSRF tokens do not match"

The POST request should complete just fine

Environment:

  • Python version: 3.8.10
  • Flask-WTF version: 1.0.1
  • Flask version: 2.1.2
@azmeuk azmeuk added the csrf label Jul 25, 2023
@DarkRedman
Copy link

DarkRedman commented Oct 22, 2023
edited
Loading

I've a similar issue when enabling 'SESSION_COOKIE_SECURE' (even if using http) from a client in the LAN, but working from localhost client)

Environment:

Python version: 3.11.15
Flask-WTF version: 1.1.1
Flask version: 2.3.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
csrf
Milestone
No milestone
Development

No branches or pull requests
3 participants
@azmeuk @DarkRedman @Lvl4Sword