Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

login page expires (Trac #1152) #1152

Closed
elgg-gitbot opened this issue Feb 16, 2013 · 7 comments
Closed

login page expires (Trac #1152) #1152

elgg-gitbot opened this issue Feb 16, 2013 · 7 comments

Comments

@elgg-gitbot
Copy link

elgg-gitbot commented Feb 16, 2013

Original ticket http://trac.elgg.org/ticket/1152 on 39573132-06-25 by trac user darkwingduck, assigned to unknown.

Elgg version: 1.5

Login page expires.

To regenerate:

  • Go to your Elgg landing page.
  • Set your server time +2 (more than 1 hour passed since we loaded the page)
  • Try to log in
  • You'll get:
    The page you were using has expired. Please refresh and try again.

This is probably due to the action gatekeeper function, which uses a 1 hour expiration for the security token used in forms.

But as this is the login page, and visitors doesn't have to be securely identified before they are logged in, this shouldn't happen.

This gives trouble to users who try to log in. And worse, sometimes they may think they are trying wrong login info, and try other combinations with no success.

Marking this as minor rather than trivial, as I hear/expire this pretty much, and it can affect every user.

Tested in current svn version.

@elgg-gitbot
Copy link
Author

elgg-gitbot commented Feb 16, 2013

trac user darkwingduck wrote on 39573134-11-22

strange formatting, good work trac! =)

@elgg-gitbot
Copy link
Author

elgg-gitbot commented Feb 16, 2013

trac user darkwingduck wrote on 39573145-03-22

ps: people who don't have access to the server time may wait for 1+ hours after landing to the first login page on their elgg site, to regenerate this.

@elgg-gitbot
Copy link
Author

elgg-gitbot commented Feb 16, 2013

trac user darkwingduck wrote on 39573226-04-24

-correction: I hear/experience this pretty often.

@elgg-gitbot
Copy link
Author

elgg-gitbot commented Feb 16, 2013

brettp wrote on 40088017-12-01

Actions, regardless of logged in status, must be validated through tokens for security. Until the token system can be reexamined, this is a side effect of that system.

@elgg-gitbot
Copy link
Author

elgg-gitbot commented Feb 16, 2013

trac user darkwingduck wrote on 40088075-01-31

But only 'secure actions', for preventing attacks like cross-site right?

I remember there is a parameter in the gateway to control this behaviour per action. Does it have to be a 'secure' action while the visitor has no access to their account, and it has to be fed with the credentials? Nearly no website uses this scheme for login.

I've probably changed this in our server.

@elgg-gitbot
Copy link
Author

elgg-gitbot commented Feb 16, 2013

cash wrote on 40853558-08-01

This was fixed in [svn:3972]

@elgg-gitbot
Copy link
Author

elgg-gitbot commented Feb 16, 2013

ewinslow wrote on 41459052-08-11

Potentially relevant: http://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

1 participant