[MAGNOLIA-8233] Improve user experience on failing CSRF token check Created: 19/Nov/21 Updated: 07/Jul/22 Resolved: 23/Mar/22 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | core |
| Affects Version/s: | None |
| Fix Version/s: | 6.2.18 |
| Type: | Improvement | Priority: | Neutral |
| Reporter: | Michael Duerig | Assignee: | Michael Duerig |
| Resolution: | Done | Votes: | 0 |
| Labels: | artt, csrf, foundation_team | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||||||||||
| Issue Links: |
|
||||||||||||||||
| Template: |
|
||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||
| Task DoD: |
[X]*
Doc/release notes changes? Comment present?
[X]*
Downstream builds green?
[X]*
Solution information and context easily available?
[X]*
Tests
[X]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||||||
| Date of First Response: | |||||||||||||||||
| Description |
|
Currently the user is presented with a bleak Tomcat error message when a CSRF token check fails:
Instead of this we could offer the users a link for retrying the request (like Jira does) or forward to the login page.
|
| Comments |
| Comment by Michael Duerig [ 09/Dec/21 ] |
|
Quickly discussed with avongunten today: the current CSRF error page is ugly and scary and we should replace it with something more user friendly. Anja will come up with a suggestion for improving. |
| Comment by Anja von Gunten [ 13/Dec/21 ] |
|
This is a first draft. Waiting for final illustration.
|
| Comment by Michael Duerig [ 28/Feb/22 ] |
|
Looking at the implementation options for this ticket I realised that we need to better define and agree on the scope. The discussions on the PR already show that there are conflicting requirements we need to find an agreement for. (E.g. standard way of configuring error pages via web.xml vs. error pages editable in pages app). Below is a list of implementation options from simplest and less feature rich to most complex and feature rich. Web.xmlConfigure error page via the error-page element in web.xml.
Static resourceRender a static resource (e.g. using SimpleFreeMarkerHelper). See my initial attempt.
Add error pages rendering capabilitiesImplement a way for the filter to render an error page using the site renderer.
|
| Comment by Michael Duerig [ 21/Mar/22 ] |
|
When discussing the broader topic in the architecture group, we decided to solve this ticket by adding a static error page for the 403 HTTP status on configure it in the web.xml. Error page looks similar to the 404 page for now. Filed this follow up ticket for polishing: MAGNOLIA-8353
|