Last modified: 2014-02-13 01:24:31 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T63269, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 61269 - CSRF warnings when users take a long time to fill out Wikimania Scholarships application


Summary:	CSRF warnings when users take a long time to fill out Wikimania Scholarships ...

Status:	NEW

Product:	Wikimedia
Classification:	Unclassified
Component:	Wikimania Scholarships (Other open bugs)
Version:	wmf-deployment
Hardware:	All All

Importance:	Normal normal (vote)
Target Milestone:	---
Assigned To:	Nobody - You can work on this!

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2014-02-12 16:19 UTC by Bryan Davis
Modified:	2014-02-13 01:24 UTC (History)
CC List:	2 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Bryan Davis 2014-02-12 16:19:02 UTC

[05:31]  <Sir_Designer_>	 applying for wikimania support... everything very lucid, very nice, hit submit button...
[05:31]  <Sir_Designer_>	 "Invalid request
[05:31]  <Sir_Designer_>	 The request that was submitted was missing the request forgery protection token. Please return to the form, reload the page and try again."
[05:31]  <Sir_Designer_>	 am I going to lose all the typing and ticking off and drop down box content selection by reloading?  
[05:50]  <  andre__>	 Sir_Designer_: also depends on the browser you use, hence hard to tell. Try? :P
[05:51]  <Sir_Designer_>	 before I do, I ma busy copying all the precious work to Note (mac). :)
[05:51]  <Sir_Designer_>	 NOtes *
[05:59]  <Sir_Designer_>	 it was a spectacular lossage.  glad I copied and pasted to a safe place.
[06:23]  <Sir_Designer_>	 Thanks!
[06:23]  <Sir_Designer_>	 Thank you for submitting your scholarship application for Wikimania 2014. Please contact wikimania-scholarships@wikimedia.org with any questions.
[06:23]  <Sir_Designer_>	 :)
[06:23]  <Sir_Designer_>	 see you in London!

Comment 1 Bryan Davis 2014-02-12 16:19:12 UTC

[09:11]  <    bd808>	 Sir_Designer_: Do you have any guess about how long you had been working on the form before you hit submit when you got the missing request token error submitting for a Scholarship? We see that error in the logs several times per day and my only guess so far is that PHP has garbage collected the server side session due to inactivity while the user is working on their answers.
[09:12]  <    bd808>	 I haven't had any reports of people not being able to submit on retry so I haven't worked too hard to reproduce the problem. It is annoying though.
[09:14]  <Sir_Designer_>	 bd808 20 minutes with onr back as i hit return inadvertently and it chided me that i did not finish
[09:14]  <Sir_Designer_>	 gotta run.
[09:14]  <    bd808>	 Thanks for the data. That matches my guess about session garbage collection.
[09:14]  <    bd808>	 I'll open a bug for next year :)

Comment 2 Bryan Davis 2014-02-12 16:24:22 UTC

The guess about session cleanup is just that... a guess.

If that is the problem it would be possible to add a javascript heartbeat callback that would keep the server side session alive while people were parked on the application form. Pinging back to the server every 5 minutes or so should be enough to keep the session alive. The client side script could even be really smart and only make the pings if there had been mouse/keyboard activity since the last ping went out.

An alternate solution might be to fire a quick ajax request on form submit that validated that the XSRF token was still good and if not acquired a new one and wrote it into the form before letting the browser continue to submit.

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links