Tickets :: [#7669] Clarify that actions prevented by CSRF tokens can be retried

6.0.0-beta1

7/7/25

Summary	Clarify that actions prevented by CSRF tokens can be retried
Queue	IMP
Queue Version	4.3
Type	Bug
State	Resolved
Priority	3. High
Owners	Horde Developers (at) , slusarz (at) horde (dot) org
Requester	laurent (at) opensolaris (dot) org
Created	11/12/2008 (6081 days ago)
Due
Updated	08/11/2010 (5444 days ago)
Assigned	12/09/2008 (6054 days ago)
Resolved	08/11/2010 (5444 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch	No

08/11/2010 05:41:15 AM	Michael Slusarz	Comment #10 Assigned to Michael Slusarz State ⇒ Resolved	Reply to this comment
Fixed in Horde 3.3.9.

08/11/2010 05:40:31 AM	CVS Commit	Comment #9	Reply to this comment
Changes have been made in CVS for this ticket: ~~Bug: 7669~~ On invalid token during logout, redirect to initial page Merge from git: 7c61bc0e09925169c1f4007253abbde4281bd98d http://cvs.horde.org/diff.php/horde/docs/CHANGES?rt=horde&r1=1.515.2.612&r2=1.515.2.613&ty=u http://cvs.horde.org/diff.php/horde/login.php?rt=horde&r1=2.175.2.17&r2=2.175.2.18&ty=u

08/11/2010 05:36:19 AM	Git Commit	Comment #8	Reply to this comment
Changes have been made in Git for this ticket: ~~Bug #7669~~: On invalid token during logout, redirect to initial page http://git.horde.org/diff.php/horde/docs/CHANGES?rt=horde-git&r1=fb4e3b7bec566917e72775db5e6233ac19738b01&r2=7c61bc0e09925169c1f4007253abbde4281bd98d http://git.horde.org/diff.php/horde/login.php?rt=horde-git&r1=d60db49628a9da0689acf915dd40e2ead2005f3d&r2=7c61bc0e09925169c1f4007253abbde4281bd98d

10/26/2009 06:54:27 PM	Jan Schneider	Priority ⇒ 3. High

12/09/2008 08:10:54 AM	Chuck Hagenbuch	State ⇒ Assigned Taken from Chuck Hagenbuch Assigned to Horde Developers

12/08/2008 10:53:54 PM	meinzerj (at) reed (dot) edu	Comment #7	Reply to this comment
There is one more case where this feature needs improvement. When our users click "Log Out" after idling for > 30 minutes, they receive an unstyled white page with only the following text: "This request cannot be completed because the link you followed or the form you submitted was only valid for 30 minutes." There is no indication that the action can be retried. Indeed, it looks like a server error to many users because it is just text on an otherwise blank page. Worse, they may be misled into thinking that they have logged out.

11/22/2008 04:01:58 AM	Chuck Hagenbuch	Comment #6 Taken from Horde Developers State ⇒ Resolved	Reply to this comment
Done.

11/22/2008 04:01:39 AM	CVS Commit	Comment #5	Reply to this comment
Changes have been made in CVS for this ticket: http://cvs.horde.org/diff.php/framework/Horde/Horde.php?r1=1.695&r2=1.696&ty=u http://cvs.horde.org/diff.php/imp/lib/IMP.php?r1=1.732&r2=1.733&ty=u

11/13/2008 03:20:43 AM	Chuck Hagenbuch	Comment #4 Assigned to Chuck Hagenbuch Assigned to Horde Developers Summary ⇒ Clarify that actions prevented by CSRF tokens can be retried State ⇒ Assigned	Reply to this comment
We should tweak the message.

11/12/2008 10:40:20 PM	laurent (at) opensolaris (dot) org	Comment #3	Reply to this comment
Duh, sorry! I had the message several times, and I didn't think even once to retry sending it, only saving it to Drafts. I guess it's an automatic reaction acquired when TB has issues sending email. Of course I understand the security issue at stake here, not suggesting to remove the option, only to make its behaviour easier to understand. So to deal with dumb types like me, I would suggest adding something like this to the error message: "You can retry the action now" Sorry for that, thank you for your help.

11/12/2008 01:39:12 PM	Chuck Hagenbuch	Comment #2 State ⇒ Not A Bug	Reply to this comment
You can just send the message again on the reloaded screen. And this is a CSRF protection; what exactly about that do you consider a bug?

11/12/2008 10:41:47 AM	laurent (at) opensolaris (dot) org	Comment #1 Priority ⇒ 2. Medium State ⇒ Unconfirmed Patch ⇒ No Milestone ⇒ Summary ⇒ token_lifetime prevents sending email Type ⇒ Bug Queue ⇒ IMP	Reply to this comment
The default value for $conf['server']['token_lifetime'] is 1800. The problem with it is that when I'm typing a long email, that takes more than half an hour, then I can't send it, I get the following error: This request cannot be completed because the link you followed or the form you submitted was only valid for 30 minutes It is of course very annoying, since there is no apparent way to refresh this vaue automatically from the composition window. At this point, luckily, I can still save it as a draft, then reopen it and send it. Having an automatic refresher would be much more convenient, though. Workaround is to increase the value of token_lifetime.