Bug #4564

Registration page blocked on private browser windows

Added by Matt Gold almost 7 years ago. Updated almost 7 years ago.

Priority name:
Category name:
Target version:
Start date:
Due date:
% Done:


Estimated time:


Yesterday I wanted to send someone a link to the CAC registration page, but I was already logged in. So I opened a private browser window to start a non-logged in session and clicked "Register." When I did, I hit a 403 error (screenshot attached).

I am assuming we are blocking access for security reasons. Or maybe Lihua instituted something and we are not aware. In any case, it would be nice if the server could provide a more explicit error message. What do you think? Maybe this isn't a common use case and we can ignore it.


#1 Updated by Boone Gorges almost 7 years ago

  • Status changed from Assigned to Reporter Feedback

Access is not blocked for private browsers per se. However, access to /register/ is blocked for clients that don't have our secret cookie. The cookie is created during a normal visit to any regular page of the Commons (such as the front page). So if you're opening a private browsing session (in which all your normal browser cookies are ignored), and navigate immediately to /register/, you'll be blocked. However, if you open the private browsing session and navigate first to a normal Commons page before going to /register/, it should work. Could you please verify that this is the case?

This block is in place for security reasons - it prevents most botnet attacks on /register/. If you can confirm that my description above is correct, then I think we should leave this in place, as the workflow described there is very atypical.

#2 Updated by Matt Gold almost 7 years ago

  • Status changed from Reporter Feedback to Rejected

Thanks for the explanation, and okay -- yes -- confirmed that when starting from the CAC homepage on a private window, I can access the Registration page.

Also available in: Atom PDF