[MAGNOLIA-8233] Improve user experience on failing CSRF token check Created: 19/Nov/21  Updated: 07/Jul/22  Resolved: 23/Mar/22

Status: Closed
Project: Magnolia
Component/s: core
Affects Version/s: None
Fix Version/s: 6.2.18

Type: Improvement Priority: Neutral
Reporter: Michael Duerig Assignee: Michael Duerig
Resolution: Done Votes: 0
Labels: artt, csrf, foundation_team
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File Illustration_003-session-expired.svg     PNG File Screenshot 2021-11-22 at 10.44.12.png     PNG File Screenshot 2021-12-15 at 10.59.11.png     PNG File Screenshot 2022-03-17 at 16.23.07.png     PNG File image-2021-11-19-15-04-13-449.png    
Issue Links:
Issue split
split to MAGNOLIA-8353 Properly design the HTTP 403 error sc... Open
Relates
relation
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:

 Description   

Currently the user is presented with a bleak Tomcat error message when a CSRF token check fails:

Instead of this we could offer the users a link for retrying the request (like Jira does) or forward to the login page.

 

 



 Comments   
Comment by Michael Duerig [ 09/Dec/21 ]

Quickly discussed with avongunten  today: the current CSRF error page is ugly and scary and we should replace it with something more user friendly. Anja will come up with a suggestion for improving.

Comment by Anja von Gunten [ 13/Dec/21 ]

This is a first draft. Waiting for final illustration.

Comment by Michael Duerig [ 28/Feb/22 ]

Looking at the implementation options for this ticket I realised that we need to better define and agree on the scope. The discussions on the PR already show that there are conflicting requirements we need to find an agreement for. (E.g. standard way of configuring error pages via web.xml vs. error pages editable in pages app). Below is a list of implementation options from simplest and less feature rich to most complex and feature rich.

Web.xml

Configure error page via the error-page element in web.xml.

  • The custom error page would apply to all 403 errors, not only those from CSRF token errors
  • No way to add a retry link back to original page
  • Error pages not editable in pages app
  • Configuration required fiddling with the web container configuration outside of Magnolia
  • All sites in Multi-Site deployments share the same error pages

Static resource

Render a static resource (e.g. using SimpleFreeMarkerHelper). See my initial attempt.

  • Error page not editable in pages app
  • Ability to inject retry link via templating
  • Does not use the site renderer, just the hard coded FreeMarker renderer
  • Not properly dispatched, just one error page configured in the CSRF related filters
  • All sites in Multi-Site deployments share the same error page

Add error pages rendering capabilities

Implement a way for the filter to render an error page using the site renderer.

  • Error page editable in pages app
  • Ability to inject retry link via templating
  • Full request dispatching. Works with Multi-Site
  • Needs a way to resolve the workspace (duplicating functionality from RepositoryMappingFilter)
  • Needs a way to resolve the template (duplicating functionality from AggregatorFilter)
  • Alternatively add some error info to the aggregation state and let a downstream filter (RenderingFilter or a new ErrorFilter) do the rendering.
Comment by Michael Duerig [ 21/Mar/22 ]

When discussing the broader topic in the architecture group, we decided to solve this ticket by adding a static error page for the 403 HTTP status on configure it in the web.xml.

Error page looks similar to the 404 page for now. Filed this follow up ticket for polishing: MAGNOLIA-8353

 

Generated at Mon Feb 12 04:30:51 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.