You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
If someone tries to checkout on events for the first time without logging in (aka as an anonymous user) they encounter an "Owl no" page. However when pressing the back button to return to the tickets page and trying to checkout again they are able to perform the checkout. Deeper investigation shows that when attempting the checkout there is no XSRF token set, when the error page is shown the token gets generated and set after which the checkout is able to succeed.
To Reproduce
Steps to reproduce the behavior:
Open up a fresh browser, or incognito mode
Go to wisv.ch/events and add a ticket to checkout (for example the membership)
accept the terms and conditions and go to checkout
after getting a owl no page move one page back with the back error
attempt the checkout again which will be successful
Expected behavior
The user should be able to checkout anyway or if logging in is required redirect them to a login page instead of an error.
The text was updated successfully, but these errors were encountered:
Spring boot apparently only sets the XSRF-TOKEN on requests that modify the state of the server (e.g. no GET), see section 3 in https://www.baeldung.com/spring-security-csrf
This means that an unauthenticated user who has not yet visited the site or ordered something, will not have an XSRF-TOKEN yet. And when they go to checkout they will make their first POST request, which will set their XSRF-TOKEN. However this request will also be rejected with a 403 because they do not have a valid token yet and the endpoint is protected. Though, if they try this again it will succeed as they now have a valid token.
I think the /checkout POST endpoint should not be protected with CSRF as it leads to these current issues, additionally there is no harm done by creating a checkout as it does not harm users (no money gets stolen, nor (personal) details).
Describe the bug
If someone tries to checkout on events for the first time without logging in (aka as an anonymous user) they encounter an "Owl no" page. However when pressing the back button to return to the tickets page and trying to checkout again they are able to perform the checkout. Deeper investigation shows that when attempting the checkout there is no XSRF token set, when the error page is shown the token gets generated and set after which the checkout is able to succeed.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The user should be able to checkout anyway or if logging in is required redirect them to a login page instead of an error.
The text was updated successfully, but these errors were encountered: