-
Notifications
You must be signed in to change notification settings - Fork 669
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
login page expires (Trac #1152) #1152
Comments
trac user darkwingduck wrote on 39573134-11-22 strange formatting, good work trac! =) |
trac user darkwingduck wrote on 39573145-03-22 ps: people who don't have access to the server time may wait for 1+ hours after landing to the first login page on their elgg site, to regenerate this. |
trac user darkwingduck wrote on 39573226-04-24 -correction: I hear/experience this pretty often. |
brettp wrote on 40088017-12-01 Actions, regardless of logged in status, must be validated through tokens for security. Until the token system can be reexamined, this is a side effect of that system. |
trac user darkwingduck wrote on 40088075-01-31 But only 'secure actions', for preventing attacks like cross-site right? I remember there is a parameter in the gateway to control this behaviour per action. Does it have to be a 'secure' action while the visitor has no access to their account, and it has to be fed with the credentials? Nearly no website uses this scheme for login. I've probably changed this in our server. |
cash wrote on 40853558-08-01 This was fixed in [svn:3972] |
ewinslow wrote on 41459052-08-11 Potentially relevant: http://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests |
Original ticket http://trac.elgg.org/ticket/1152 on 39573132-06-25 by trac user darkwingduck, assigned to unknown.
Elgg version: 1.5
Login page expires.
To regenerate:
The page you were using has expired. Please refresh and try again.
This is probably due to the action gatekeeper function, which uses a 1 hour expiration for the security token used in forms.
But as this is the login page, and visitors doesn't have to be securely identified before they are logged in, this shouldn't happen.
This gives trouble to users who try to log in. And worse, sometimes they may think they are trying wrong login info, and try other combinations with no success.
Marking this as minor rather than trivial, as I hear/expire this pretty much, and it can affect every user.
Tested in current svn version.
The text was updated successfully, but these errors were encountered: