-
CSRF verification... let me explain.
There is a big security risk that if someone (any middle-man, the owner of an internet cafe, whomever...) could record your internet traffic, then they could replay those web requests (with your cookies, auth, etc) and they would be you.
To avoid this, sites need some way of saying I know that this is cornelius. That happens when you sign-in... but how to prevent someone else from claiming that on every subsequent page?
So web-sites now say a mantra, for every page they say "I know that this is cornelius", and to prevent anyone else from saying that they add a bit "and to prove it the secret is phlibble", and on the next page it might say "and to prove it the secret is flibble".
Every page that is requested has a secret embedded on it, that only the real cornelius would know. And as soon as the secret is echoed back to the server, the secret is rendered useless and the next page gets a new secret.
CSRF = a secret on every page, that only you could know, and that can only be used once.
By hitting the back button on any action that submits a form (sign-in, post a comment, etc) you attempt to supply a secret that has been used in the past. The browser is submitting an old version of the page.
But we can see that this whole security thing is precisely to prevent anyone from replaying history. So it fails.
The solution is to use F5 (refresh), or to go forward and repeat your action that way. But going back in history to a point that a form was submitted... that will always fails as the secrets won't match.
You are reading a single comment by @Velocio and its replies.
Click here to read the full conversation.
Velocio
@Velocio sent you an email, but I keep getting this error message this morning, when I open up conversations, started with the forum asking me to login even though I leave myself logged on, on this computer, I did so. Nothing happened and then hit back to the following page I'd left it on yesterday, did a bit of reading then got the error message again. Keeps happening randomly since.
using chrome Version 37.0.2062.124 m on a windows 7 pc..