developer.jelix.org is not used any more and exists only for history. Post new tickets on the Github account.
developer.jelix.org n'est plus utilisée, et existe uniquement pour son historique. Postez les nouveaux tickets sur le compte github.

Opened 10 years ago

Closed 9 years ago

#876 closed bug (fixed)

Jforms: opening several new same form generate "invalid token errors"

Reported by: laurentj Owned by: laurentj
Priority: highest Milestone: Jelix 1.1.2
Component: jelix:forms Version: 1.1
Severity: critical Keywords:
Cc: Blocked By:
Blocking: Documentation needed: no
Hosting Provider: Php version:

Description

When the security against CSRF is activated (allowAnyOrigin=false by default), and when we open a new form in many windows/tabs at the same time, only the last opened form can be saved. For others, there is the error "invalid token errors".

This is because all this new form have the same internal id, so they refer to same data in sessions, and the token is generated each time we open a new form.

Temporary solution: deactivate the CSRF protection (allowAnyOrigin=true

Possible future solutions :

  • generate a different internal id for each new form. But we need to have a boolean to know if it is a new form or a prefilled form. And the problem is session data could be huge if the form is only displayed and not submitted (this is the case when the page is displayed by a robot like indexing robots).
  • keeping the same token for each new form ? (I'm not sure it is a secure solution)
  • else ?

Change History (6)

comment:1 Changed 10 years ago by laurentj

  • Owner set to laurentj
  • Priority changed from high to highest
  • Status changed from new to assigned

comment:2 Changed 10 years ago by laurentj

  • Resolution set to fixed
  • Status changed from assigned to closed

the best solution I found is to keep the same token for all new form (for a same type of form), and keep the same instance for all opened new form. there is now a reference count so when all new forms are destroyed, the instance is destroyed and the token will be regenerated.

r1368

comment:3 Changed 9 years ago by bricet

  • Resolution fixed deleted
  • Status changed from closed to reopened

It seems this problem is back again.

comment:4 Changed 9 years ago by bricet

  • Milestone Jelix 1.1.2 deleted
  • Version changed from 1.1 to trunk

comment:5 Changed 9 years ago by foxmask

We've tested it together on havefnubb.org by replying to an existing topic and we failed.

comment:6 Changed 9 years ago by laurentj

  • Milestone set to Jelix 1.1.2
  • Resolution set to fixed
  • Status changed from reopened to closed
  • Version changed from trunk to 1.1

please open a new ticket. This bug was fixed. Apparently you talk about a REGRESSION, on an other branch. don't destroy the ticket history. thanks.

Note: See TracTickets for help on using tickets.