Refine error messages for CSRF exceptions

Summary: See T489. Provide slightly more detail so we can figure out if there's a real issue here. Test Plan: Hit URIs like: /differential/comment/preview/29/ /differential/comment/preview/29/?__ajax__=1 /differential/comment/preview/29/?__csrf__=1 ..and got appropriate error messages. Reviewers: jungejason Reviewed By: jungejason CC: aran, jungejason Differential Revision: 884
2024-12-19 12:00:55 +01:00 · 2011-09-01 09:29:33 -07:00 · 2011-09-01 09:29:33 -07:00 · c2fef51b3d
commit c2fef51b3d
parent 83f1140785
1 changed files with 18 additions and 1 deletions
--- a/src/aphront/request/AphrontRequest.php
+++ b/src/aphront/request/AphrontRequest.php
@ -145,6 +145,22 @@ class AphrontRequest {

    $valid = $this->getUser()->validateCSRFToken($token);
    if (!$valid) {
+
+      // Add some diagnostic details so we can figure out if some CSRF issues
+      // are JS problems or people accessing Ajax URIs directly with their
+      // browsers.
+      if ($token) {
+        $token_info = "with an invalid CSRF token";
+      } else {
+        $token_info = "without a CSRF token";
+      }
+
+      if ($this->isAjax()) {
+        $more_info = "(This was an Ajax request, {$token_info}.)";
+      } else {
+        $more_info = "(This was a web request, {$token_info}.)";
+      }
+
      // This should only be able to happen if you load a form, pull your
      // internet for 6 hours, and then reconnect and immediately submit,
      // but give the user some indication of what happened since the workflow
@ -155,7 +171,8 @@ class AphrontRequest {
        "certain type of login hijacking attack. However, the token can ".
        "become invalid if you leave a page open for more than six hours ".
        "without a connection to the internet. To fix this problem: reload ".
-        "the page, and then resubmit it.");
+        "the page, and then resubmit it.\n\n".
+        $more_info);
    }

    return true;