I'm trying to implement password in an iframe, CSRF issue

cthomas · May 11, 2022, 1:39am

There is an API endpoint for getting a custom password reset page URL. It’s the same sort of link you get in a password reset email.

I have in mind to make a password reset page. Using classic login, I can customize the password reset page to be dual-mode. Reset mode for the email, and change mode for an iframe embedded in a user preferences popup modal.

I did all this. Even using window postMessage API to tell the parent page when the password change is complete, however I’m getting error 403:

Request Method:
POST

Status Code:
403

code: “invalid_csrf_token”

message: “Invalid CSRF token”

name: “CsrfInvalidTokenError”

statusCode: 403

(It’s ok, the token is stale)

_csrf:
Zt9vuD6C-jzeN94KpaEr8Fpx8r8kwyvuwfYs

ticket:
OVXYfqu9obitx94wnEQJTcqrWQnoYDIb

It’s providing a token, but failing the request.

Topic		Replies	Views
Getting an Invalid CSRF token error during password reset Help csrf , password-change	2	7045	March 2, 2018
Custom UI password reset page Help password-reset , custom-ui	6	2932	November 1, 2022
How i can reset password in customized reset password page from universal login? Help password-reset , reset-password	2	4095	July 7, 2020
Reset password, gets http 400 Help reset , reset-password	8	5665	March 2, 2018
Password reset error messages inconsistent Help password-reset	2	3407	August 26, 2019

I'm trying to implement password in an iframe, CSRF issue

Related Topics