Customer Login fails - session timeout affecting login page
Summary of issue:
Trying to login (customer login) after a good amount of time has passed, will fail, refresh the screen, and make the user login again. No error message or anything. Seemingly the timeout will affect the login screen.
Actual Result:
When logging in after being away, the user is forced to login at least a second time without an error or any issue.
Expected Result:
Customer should never have to enter their credentials twice or fail to login. There shouldn't be a timeout on the login page.
Steps:
- Goto the login page
- Wait the timeout period 10 or 15 minutes
- Try to login
- Page is refreshed, no error
- Try to login
- Everything is fine
his is a security feature. Essentially, there is a CSRF token in the form that is generated on page load. These tokens expire after a certain amount of time. So when the form is submitted with an invalid (expired) CSRF token, the page essentially refreshes and generates a new CSRF token and allows the user to login. This token exchange is handled at the spring security level if I recall correctly and so there is no good way to message to the user what has happened (and most users won't understand what you are trying to explain anyway).
While I understand that the behavior can be confusing to a customer, it is strongly recommended that you keep this feature. It makes any potential attack at least slightly more complicated as a user cannot simply brute force post against the login endpoint, they actually have to request a page and get the token, which also serves to slow any potential attack down.
Comments
Post a Comment