Connect to Enoria
terminated
Simon MATHIEU
On the login page, after entering your identifiers, it often happens that the indication “Invalid CSRF token” appears. And even systematically at the first connection on a smartphone. The “Remember Me” feature doesn't seem to work very often.
These connection problems make using the app very cumbersome when you want to consult a contact or quickly change contact details for example...
É
Élodie Massa
marked this post as
terminated
É
Élodie Massa
marked this post as
Under study
Deborah DESCAS
I actually have the same problem. I understand the security issue but I have not encountered this message in consumer apps that are just as secure.
Fidei DONUM
Note: when the “CRSF token” label appears after entering the ID and the MDP, you should not press “login”, it is done automatically...
Anja BLANLOEIL
Very interested in a solution! Indeed very painful...
P
P. Raphaël Cournault
Simon MATHIEU Thank you for your feedback, however, you should specify what you want in your request.
Avoid the message Invalid token? or does the connection persist on a smartphone?
Simon MATHIEU
P. Raphaël Cournault: Both my captain! If by definition it makes the Token invalid, it means that the recognition of identifiers does not work. Is it due to the browser cache?
P
P. Raphaël Cournault
Simon MATHIEU: Exactly. Since the pages are protected, if the page is not reloaded and returned recently, there is a token error until the token is regenerated by reloading the page.
Simon MATHIEU
P. Raphaël Cournault: the recurring problem is that when the Father connects to his closed webapp, the recognition of his identifiers does not work and it takes several clicks on the button to connect him.
P
P. Raphaël Cournault
Simon MATHIEU: So you have to rephrase the request: Enoria WebApp: avoid untimely disconnections.
É
Élodie Massa
P. Raphaël Cournault: Untimely disconnections are also a guarantee of security... I think it is completely unwise to extend even more, [even more on a smartphone than on a computer (but you don't have the possibility to choose depending on the terminal used)]] the time of inactivity before disconnecting. As for the Remember Me option... with the quantity of data that can be accessed by anyone in case of smartphone theft... in my opinion it should not even be possible.
The CSRF token is indeed a story about cookies and the browser. Personally I no longer encounter this problem since I empty the browser cache (automatically) as soon as I close it!
P
P. Raphaël Cournault
https://progressier.com/pwa-capabilities/biometric-authentication-with-passkeys could be interesting