I have seen many examples in the past where it was done like here, i.e. where your form data simply gets thrown away, potentially leaving you with day(s) worth of work lost in the void. I mean who hasn’t written some elaborate answer on some forum only to get redirected to the login page when pressing send?
However, my problem isn’t even really with the fact that the form data gets lost, but more with the fact that I can not make a proper distinction. Currently when the token has run out, all the users sees is the form refreshing and no indication whether it was sent successful or failed. So you not only lose all your form data, but you can’t really tell whether it was an error or not.
This can be worked around by running a check on:
- Was there a POST request?
- Was the form NOT successful?
- Was there no error generated?
My point is, when the CSRF check fails, then there should be an error that I can properly handle in my code and I shouldn’t have to depend on vague checks.
In my mind the contract/assert should be that if
success() returns false, then
count(errors()) must be