CSRF 500 Error Bug

[eluser]Unknown[/eluser]
Hi,

I've noticed that users with their computers' clock set a few days into the future can't properly submit my forms. If I turn off CSRF it works.

Is there a work around?

Thanks!

[eluser]Rok Biderman[/eluser]
It's not a bug, it's a feature. Insisting your server has properly configured time is also one of the few basics you can demand of your provider.

P.S.:Absolutely love the nickname.

[eluser]CroNiX[/eluser]
He was talking about visitors to the site, not the server.

[eluser]Unknown[/eluser]
Yes, the server time is correct, but I had one visitor in particular that couldn't log in. After a lot of frustration, we found out his clock was a month fast.

I think it has to do with the CRSF cookie time out. Would it be bad if I set the cookie to timeout a bit longer?

Also, are time zones accounted for in timeout values?

Thanks.

[eluser]InsiteFX[/eluser]
The cookie is stored on the client system, so if their time is off there is not much you can do about!

It's their error not yours.

Like here I will set my time a month ahead, how are you going to fix that?

[eluser]CroNiX[/eluser]
It's how CSRF is supposed to work. Increasing the time that much kind of defeats the purpose and leaves you a whole lot less protected. You can't control if some idiot user has his clock way off, just like you can't control if they turn cookies off, in which case a whole lot of sites wouldn't work for them including their banking. One thing you might do is amend the CSRF error message to be more friendly and add something about making sure their date/time is correct.