View Issue Details

IDProjectCategoryView StatusLast Update
0025367mantisbtauthenticationpublic2019-06-27 07:43
Reportercproensa Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version2.20.0 
Summary0025367: auth_reauthenticate() breaks form submission
Description

When submitting a form, eg: in manage pages, and the destination page requires reauthentication, after redirecting to the destination page the original POST request is lost
This usually generates APPLICATION ERROR #2800 Invalid form security token

Steps To Reproduce

For example: manage_user_edit_page.php
Edit user data, and wait the timeout to let the authentication trigger.
Submit the form, reauthenticate page is shown.
After reauthentication, receive ' APPLICATION ERROR #2800 Invalid form security token'

TagsNo tags attached.

Activities

cproensa

cproensa

2019-01-24 18:42

developer   ~0061297

Thinking out loud for some options:

  • Carrying the form data as GET through the login pages, and to the final redirect, is not a valid option.
  • When the login page is triggered, if POST data is present, save that data in the user session.
  • After reauthentication is successful, then two options:
    1) instead of immediate redirect, recover GPC data from session, and display a page with a form (+ hidden inputs) that submits to the original destination. This requires user interaction
    2) or implement some method for gpc-recover-state, so that when the redirected page is landed, the saved data is restored from session into the global GPC, transparent to the user and destination page execution