django_microsoft_auth icon indicating copy to clipboard operation
django_microsoft_auth copied to clipboard

Published 20 hours ago verified publisher icon AngellusMortis

An invalid state variable was provided. Please refresh the page and try again later.

Open acknowledgeHim opened this issue 4 years ago • 4 comments

This happens about 40-50% of the time. The rest of the time, it works. I am not using admin login but i call the same functions and pass the django csrf correctly (at least it should be since it works some times).

Do you have any example of setting up a custom login (not using /admin) and getting this to work?

Also when others use it they have they have a worse fail rate (70-80% of the time) and when they finally get in, it shows my profile on the homepage but when they click on a link it then changes to their profile.

So i have something off with my setup. Any help is appreciated.

Thanks!

Environment: Django 2.2.13 python 3.6

acknowledgeHim avatar Jul 14 '20 06:07 acknowledgeHim

Same issue on my side, not all times but very often. Django 3.1.1 Pytohn 3.8

patrickdassier avatar Sep 09 '20 08:09 patrickdassier

Some folks at my org are getting this too. I poked around in the code and see it's a CSRF failure (the string "An invalid state variable was provided. Please refresh the page and try again later." is defined in views.py on line 31-32 and put in messages['bad_state'], then used on line 113 for the error message when there's a problem with the CSRF token). I noticed line 95 mentions a max age of 300 (5 minutes). So I opened up a login page, didn't sign in immediately but instead waited for 6 minutes, then tried "Microsoft" authentication button, and repeatedly got this error until I refreshed the page (which refreshed the CSRF token used). My guess is that many folks who are having this issue are also leaving the login page open for too long. I think this issue can be alleviated by:

  • setting a much longer max_age, like 30 minutes. For reference, WordPress' CSRF tokens ("nonces") actually last a full day.
  • Changing the error message to something simpler for users to understand. Eg "Login failed. You probably left this web page open for too long. Please refresh the page and try again.". The current message does actually make sense, but IMO only once you already know what it's trying to say, and non-tech-people get hung up on the "invalid state", and then read "try again later" so just grumble and ask tech support.

I've made those adjustments in the above-mentioned PR

mnelson4 avatar Nov 30 '21 04:11 mnelson4

I think you made the PR to the wrong location... It is from your fork to you fork. I think you mean to make a PR back to the main repo.

AngellusMortis avatar Nov 30 '21 15:11 AngellusMortis

😩 oups! Fixed

mnelson4 avatar Nov 30 '21 16:11 mnelson4