Use with: :clear_session on bad CSRF tokens

config/config.exs

@@ -19,6 +19,9 @@ config :mime, :types, %{
   "text/plain" => ["livemd"]
 }
 
+# We want CSRF tokens to be logged to help users with debugging
+config :plug_cowboy, :log_exceptions_with_status_code, [407..599]
+
 config :livebook,
   app_service_name: nil,
   app_service_url: nil,

lib/livebook_web/plugs/auth_plug.ex

@@ -24,7 +24,9 @@ defmodule LivebookWeb.AuthPlug do
   Stores in the session the secret for the given mode.
   """
   def store(conn, mode, value) do
-    put_session(conn, key(conn.port, mode), hash(value))
+    conn
+    |> put_session(key(conn.port, mode), hash(value))
+    |> configure_session(renew: true)
   end
 
   @doc """

lib/livebook_web/router.ex

@@ -7,7 +7,16 @@ defmodule LivebookWeb.Router do
     plug :fetch_session
     plug :fetch_live_flash
     plug :put_root_layout, {LivebookWeb.LayoutView, :root}
-    plug :protect_from_forgery
+    # Because LIVEBOOK_SECRET_KEY_BASE authentication is randomly
+    # generated, the odds of getting a CSRFProtection is quite high
+    # and exceptions can lead to a poor user experience.
+    #
+    # During authentication, configure_session(renew: true) will
+    # override the configure_session(ignore: true) but the session
+    # will be cleared anyway. This means an attacker can authenticate
+    # someone in a given Livebook instance but they wouldn't be able
+    # to do anything once the authentication goes through.
+    plug :protect_from_forgery, with: :clear_session
     plug :put_secure_browser_headers
     plug :within_iframe_secure_headers
   end