6.0.0-git
2021-01-19

[#7669] Clarify that actions prevented by CSRF tokens can be retried
Summary Clarify that actions prevented by CSRF tokens can be retried
Queue IMP
Queue Version 4.3
Type Bug
State Resolved
Priority 3. High
Owners Horde Developers (at) , slusarz (at) horde (dot) org
Requester laurent (at) opensolaris (dot) org
Created 2008-11-12 (4451 days ago)
Due
Updated 2010-08-11 (3814 days ago)
Assigned 2008-12-09 (4424 days ago)
Resolved 2010-08-11 (3814 days ago)
Milestone
Patch No

History
2010-08-11 05:41:15 Michael Slusarz Comment #10
Assigned to Michael Slusarz
State ⇒ Resolved
Reply to this comment
Fixed in Horde 3.3.9.
2010-08-11 05:40:31 CVS Commit Comment #9 Reply to this comment
Changes have been made in CVS for this ticket:

Bug: 7669
On invalid token during logout, redirect to initial page
Merge from git: 7c61bc0e09925169c1f4007253abbde4281bd98d
http://cvs.horde.org/diff.php/horde/docs/CHANGES?rt=horde&r1=1.515.2.612&r2=1.515.2.613&ty=u
http://cvs.horde.org/diff.php/horde/login.php?rt=horde&r1=2.175.2.17&r2=2.175.2.18&ty=u
2009-10-26 18:54:27 Jan Schneider Priority ⇒ 3. High
 
2008-12-09 08:10:54 Chuck Hagenbuch Assigned to Horde DevelopersHorde Developers
Taken from Chuck Hagenbuch
State ⇒ Assigned
 
2008-12-08 22:53:54 meinzerj (at) reed (dot) edu Comment #7 Reply to this comment
There is one more case where this feature needs improvement.  When our 
users click "Log Out" after idling for > 30 minutes, they receive an 
unstyled white page with only the following text:



"This request cannot be completed because the link you followed or the 
form you submitted was only valid for 30 minutes."



There is no indication that the action can be retried.  Indeed, it 
looks like a server error to many users because it is just text on an 
otherwise blank page.  Worse, they may be misled into thinking that 
they have logged out.
2008-11-22 04:01:58 Chuck Hagenbuch Comment #6
Taken from Horde DevelopersHorde Developers
State ⇒ Resolved
Reply to this comment
Done.
2008-11-13 03:20:43 Chuck Hagenbuch Comment #4
Assigned to Chuck Hagenbuch
Assigned to Horde DevelopersHorde Developers
Summary ⇒ Clarify that actions prevented by CSRF tokens can be retried
State ⇒ Assigned
Reply to this comment
We should tweak the message.
2008-11-12 22:40:20 laurent (at) opensolaris (dot) org Comment #3 Reply to this comment
Duh, sorry! I had the message several times, and I didn't think even 
*once* to retry sending it, only saving it to Drafts. I guess it's an 
automatic reaction acquired when TB has issues sending email.



Of course I understand the security issue at stake here, not 
suggesting to remove the option, only to make its behaviour easier to 
understand. So to deal with dumb types like me, I would suggest adding 
something like this to the error message: "You can retry the action now"



Sorry for that, thank you for your help.
2008-11-12 13:39:12 Chuck Hagenbuch Comment #2
State ⇒ Not A Bug
Reply to this comment
You can just send the message again on the reloaded screen. And this 
is a CSRF protection; what exactly about that do you consider a bug?
2008-11-12 10:41:47 laurent (at) opensolaris (dot) org Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Summary ⇒ token_lifetime prevents sending email
Queue ⇒ IMP
Milestone ⇒
Patch ⇒ No
Reply to this comment
The default value for $conf['server']['token_lifetime'] is 1800. The 
problem with it is that when I'm typing a long email, that takes more 
than half an hour, then I can't send it, I get the following error:



This request cannot be completed because the link you followed or the 
form you submitted was only valid for 30 minutes



It is of course very annoying, since there is no apparent way to 
refresh this vaue automatically from the composition window.

At this point, luckily, I can still save it as a draft, then reopen it 
and send it.



Having an automatic refresher would be much more convenient, though.



Workaround is to increase the value of token_lifetime.

Saved Queries