Stale login page will trigger our fallback 422 page, which is confusing
Unclear exactly how to reproduce. In Vivaldi for Android, the login page can be loaded for a long time, and then when a login is attempted, it may fail the CRSF check.
Since this is browser behavior related, our only recourse is smoothing the experience of this CSRF failure. For example: it should be possible to just click the Login button again (some amount of user interaction is required for security reasons).
The user also should not see the "This is a bug, and the incident has been logged." message since preventing login without a valid CSRF is correct behavior.
"We should mention in the copy that the reason is because they've had the login page open without action for a while." --Keenan, paraphrased
First seen in 0.11.0-alpha+gitlabci-g 1e5f4737 with the request id d3cf20ce-787c-44b7-90c9-ed0b205a3303