If I try to log in from the home page, it fails and display this page:
Note that on the homepage the https icon as a small yellow triangle.
It works from other pages (no yellow triangle on the https icon).
Ironically, that yellow triangle is due in part to your image here not being server over https ;-) I suppose we could disallow img tags pointing to http, but that's not very user friendly.
That said, it has nothing to do with the missing CSRF tag. I'll look into why that is.
I've looked into it and at both https://handmade.network/home
the CSRF token is present and I can log on just fine. Put differently I can't replicate the bug. Indeed a while back I went through this code to make sure that if you try to log on from a subdomain, the logon request went to that same subdomain to prevent precisely this error, and this is the first report I've seen since suggesting there's still a possible bug there.
Even so, if I log out and try to log in from either those locations, I just can't replicate it. At least not in the normal case.
There is a way to replicate the bug that's rather convoluted:
- Load the homepage
- Load another page on the site in another tab
- Now try to log in on the first tab, with the previous step having generated a new CSRF token and expiring the previous one
If however I log in first or log in on the last tab I opened, I can't replicate this. Alternatively the tab with the homepage open may just have been sitting there too long, in which case the CSRF token has expired as well.
So really I think what should happen is that I replace that error page with something more informative that says the logon token has expired, suggesting that you refresh the page and try again. Tinkering with the CSRF logic to solve this 'non bug' would undermine security, when what's really happening is that it's working as intended but the error message could be a bit more informative.