From c2fef51b3da6bc10547ce4b79b6f7fc045045358 Mon Sep 17 00:00:00 2001 From: epriestley Date: Thu, 1 Sep 2011 09:29:33 -0700 Subject: [PATCH] Refine error messages for CSRF exceptions Summary: See T489. Provide slightly more detail so we can figure out if there's a real issue here. Test Plan: Hit URIs like: /differential/comment/preview/29/ /differential/comment/preview/29/?__ajax__=1 /differential/comment/preview/29/?__csrf__=1 ..and got appropriate error messages. Reviewers: jungejason Reviewed By: jungejason CC: aran, jungejason Differential Revision: 884 --- src/aphront/request/AphrontRequest.php | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/src/aphront/request/AphrontRequest.php b/src/aphront/request/AphrontRequest.php index d00efc6b60..e2a6313839 100644 --- a/src/aphront/request/AphrontRequest.php +++ b/src/aphront/request/AphrontRequest.php @@ -145,6 +145,22 @@ class AphrontRequest { $valid = $this->getUser()->validateCSRFToken($token); if (!$valid) { + + // Add some diagnostic details so we can figure out if some CSRF issues + // are JS problems or people accessing Ajax URIs directly with their + // browsers. + if ($token) { + $token_info = "with an invalid CSRF token"; + } else { + $token_info = "without a CSRF token"; + } + + if ($this->isAjax()) { + $more_info = "(This was an Ajax request, {$token_info}.)"; + } else { + $more_info = "(This was a web request, {$token_info}.)"; + } + // This should only be able to happen if you load a form, pull your // internet for 6 hours, and then reconnect and immediately submit, // but give the user some indication of what happened since the workflow @@ -155,7 +171,8 @@ class AphrontRequest { "certain type of login hijacking attack. However, the token can ". "become invalid if you leave a page open for more than six hours ". "without a connection to the internet. To fix this problem: reload ". - "the page, and then resubmit it."); + "the page, and then resubmit it.\n\n". + $more_info); } return true;