Issue #2022 wontfix

Sign In 403

Anonymous created an issue

I'd like to register, but there's a 403, tried for 5 times with diffrent formvalues

Stacktrace: \ Home => Plans & Signup => Free => Sign Up

Registerform-Values: \ Username: a-zA-Z, 10 Chars \ Email: valid, without Umlaut \ Password a-z1-9*

I hope You can perform this.

=========================\ Forbidden (403)

CSRF verification failed. Request aborted.

More information is available with DEBUG=True.

Comments (19)

  1. Thomas Johansson
    • changed status to open

    Which browser (and version) are you using?

    Do you have cookies enabled?

    Have you tried clearing your existing cookies before signing up?

    Have you tried using a different browser to see if the problem still occurs?

  2. hennejg
    • Firefox 3.6.6.
    • Yes.
    • Yes, the two cookies for bitbucket.org, however, I'm disinclined to clearing all cookies.
    • Chrome works. However, I don't use it regularly. A non-working Firefox would be a non-starter for me.
  3. Thomas Johansson

    Based on http://bitbucket.org/jespern/bitbucket/issue/2020/opera-login-fail#comment-217136, it seems to be an issue for people that disable http referrers.

    Do you have referrer headers disabled? In firefox you can check by going to about:config and see if "network.http.sendRefererHeader" is set to 2 (with status "default") - If it's set to 0 (with status "user set"), you're not sending headers.

    Does setting it to 2 fix it? (remember to refresh each time you change it.)

  4. gsauthof

    I get the same error page when using firefox 3.6.8. With konqueror it works.

    First I suspected AdBlock Plus - but disabling it, does not help.

    However, I have sending referers disabled in firefox. And I disagree with cyphex. It is a bitbucket problem, because it should not fail in such a mysterious way, if referes are not sent. It should not fail at all in that case ...

  5. gsauthof

    It seems that other sites use referrer checking as security feature, too:

    https://answers.edge.launchpad.net/launchpad/+faq/1024

    This page mentions at least the Firefox addon RefControl which is supposed to allow for restrictions of referrer transmissions to only a few trusted sites.

    I guess, one can dispute the security value of referer cheking, i.e. problems are privacy issues and maybe faked referrers ...

  6. Thomas Johansson

    The header can't be faked as you are making a HTTPS request, and the referrer is used to verify the request came from another HTTPS page on our domain, so it is not a privacy concern.

    There is nothing to be disputed here; It is a security risk to not check the referrer when using CSRF and HTTPS together. If you don't, it's essentially no more secure than plain HTTP.

  7. Anonymous

    So users who disable the referrer header for privacy reasons can't login on bitbucket? Seems quite bad to me.

    I suggest to check that the referrer header is correct if it is sent, and ignore the referred check if it is absent, in order to let users without referrer log in.

  8. Log in to comment