[#7669] Clarify that actions prevented by CSRF tokens can be retried
Summary Clarify that actions prevented by CSRF tokens can be retried
Queue IMP
Queue Version 4.3
Type Bug
State Assigned
Priority 2. Medium
Owners Horde Developers
Requester laurent (at) opensolaris (dot) org
Created 11/12/2008 (234 days ago)
Due
Updated 12/09/2008 (207 days ago)
Assigned 12/09/2008 (207 days ago)
Resolved
Attachments
Milestone
Patch No

History
12/09/2008 Chuck Hagenbuch Taken from Chuck Hagenbuch
Assigned to Horde DevelopersHorde Developers
State ⇒ Assigned
 
12/08/2008 meinzerj (at) reed (dot) edu Comment #7 Reply to this comment
There is one more case where this feature needs improvement.  When our 
users click "Log Out" after idling for > 30 minutes, they receive an 
unstyled white page with only the following text:

"This request cannot be completed because the link you followed or the 
form you submitted was only valid for 30 minutes."

There is no indication that the action can be retried.  Indeed, it 
looks like a server error to many users because it is just text on an 
otherwise blank page.  Worse, they may be misled into thinking that 
they have logged out.
11/21/2008 Chuck Hagenbuch Comment #6
Taken from Horde DevelopersHorde Developers
State ⇒ Resolved		 Reply to this comment
Done.
11/21/2008 CVS Commit Comment #5 Reply to this comment
Changes have been made in CVS for this ticket:

http://cvs.horde.org/diff.php/framework/Horde/Horde.php?r1=1.695&r2=1.696&ty=u
http://cvs.horde.org/diff.php/imp/lib/IMP.php?r1=1.732&r2=1.733&ty=u
11/12/2008 Chuck Hagenbuch Comment #4
Summary ⇒ Clarify that actions prevented by CSRF tokens can be retried
Assigned to Horde DevelopersHorde Developers
Assigned to Chuck Hagenbuch
State ⇒ Assigned		 Reply to this comment
We should tweak the message.
11/12/2008 laurent (at) opensolaris (dot) org Comment #3 Reply to this comment
Duh, sorry! I had the message several times, and I didn't think even 
*once* to retry sending it, only saving it to Drafts. I guess it's an 
automatic reaction acquired when TB has issues sending email.

Of course I understand the security issue at stake here, not 
suggesting to remove the option, only to make its behaviour easier to 
understand. So to deal with dumb types like me, I would suggest adding 
something like this to the error message: "You can retry the action now"

Sorry for that, thank you for your help.
11/12/2008 Chuck Hagenbuch Comment #2
State ⇒ Not A Bug		 Reply to this comment
You can just send the message again on the reloaded screen. And this 
is a CSRF protection; what exactly about that do you consider a bug?
11/12/2008 laurent (at) opensolaris (dot) org Comment #1
Patch ⇒
Milestone ⇒
Summary ⇒ token_lifetime prevents sending email
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Queue ⇒ IMP		 Reply to this comment
The default value for $conf['server']['token_lifetime'] is 1800. The 
problem with it is that when I'm typing a long email, that takes more 
than half an hour, then I can't send it, I get the following error:

This request cannot be completed because the link you followed or the 
form you submitted was only valid for 30 minutes

It is of course very annoying, since there is no apparent way to 
refresh this vaue automatically from the composition window.
At this point, luckily, I can still save it as a draft, then reopen it 
and send it.

Having an automatic refresher would be much more convenient, though.

Workaround is to increase the value of token_lifetime.