-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make Invalid Token warnings more user friendly #8445
Conversation
I was making changes in the The other similar discussion on this topic is ongoing in the PR #8416. |
Another idea is to allow passing the second argument to
|
I was recently thinking about this method getting influenced by
I see most of these checks are done in controllers and all (almost) are inherited from $this->checkToken('post', true); // checkToken($method, $redirect) Then gradually update the core components to use this test by test. |
Better. But you don't have to move your new method, just use the allready existing ones from JControllerLegacy instead: JSession::checkToken('post') or jexit(JText::_('JINVALID_TOKEN')); to JSession::checkToken('post') or $this->setRedirect($url, JText::_('JINVALID_TOKEN'), 'error')->redirect(); with the right url and your improved message. Your solution is still a code- (and thus test-) duplication. This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8445. |
@peterpeter I almost agree. But to me the code does not appear to be any duplication. It internally uses the already existing method. The extra method introduced is just to provide the ability to auto calculate the REFERER page url for redirection. If that is not needed then of course we can follow what you suggested. But I think it could be useful. |
I agree this is a real problem, but in current state untestable (we do not have a solution). Please elaborate, because it is a good idea to solve this. This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8445. |
Hello @izharaazmi Thank you for your contribution. The last comment here was on April 15th. Can you update this PR so it is testable? Thanks for understanding! This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8445. |
…white screen with "Invalid token" text. This is total uninformative to a normal user. This update implicitly redirects to the previous page if the token is not valid. To prevent implicit redirect pass `false` as the second argument to `JSession::validateToken()` To make use of this method we need to replace any occurrence of `JSession::checkToken('post') or jexit(JText::_('JINVALID_TOKEN'));` with `JSession::validateToken('post');` Example is set up in com_users > login method.
…oser context to the usage. This allows implicit redirect to the REFERER page in case of token mismatch. In all other case it is same as calling JSession::checkToken() directly. Changes made in the frontend components to make this change test-able. Note: We intend to discourage the `die` usage everywhere which leads the the said uninformative white page.
I have made the necessary changes in the front-end components. Please see #8445 (comment) for updated notes. I hope it is now testable for the front-end. I'll preferably do backend implementation as a separate PR if this is approved. |
I have tested this item 🔴 unsuccessfully on 4b630b0 For the other inner pages warning message "The security token did not match. The request was aborted to prevent any security breach. Please try again." appears after applying the patch. This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8445. |
Check the warning message after patch applied(All pages except login form problem mentioned above): Before applying patch (for all screens): This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8445. |
@hardiktailored I tested it again and it worked fine. I may be missing something... can you please explain the issue a little more? |
I have tested this item 🔴 unsuccessfully on 4b630b0 Before applying the patch login function has JSession::checkToken('post') or jexit(JText::_('JINVALID_TOKEN')); instead of JSession::validateToken('post'); This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8445. |
@AnishaTailored Thanks for explaining the issue in detail. I found that in my previous commit I had missed changing one occurrence of I've fixed it now, please test this again. |
I have tested this item ✅ successfully on 39a5a50 This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8445. |
@hardiktailored Can you test this again please. |
* | ||
* @return boolean True if found and valid, otherwise return false or redirect to referrer page. | ||
* | ||
* @since 3.6.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please use __DEPLOY_VERSION__
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Done.
@@ -440,6 +440,6 @@ public function remind() | |||
public function resend() | |||
{ | |||
// Check for request forgeries | |||
JSession::checkToken('post') or jexit(JText::_('JINVALID_TOKEN')); | |||
// $this->checkToken('post'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
comment ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did that because I don't see any code in that function. I don't understand why that method is kept there.
I have tested this item ✅ successfully on b05765d This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/8445. I was missing some information about what exactly DOM is but my neighbor at the PBFNL was so kind to explain it to me. Thus resulting in a succesful test. |
I have tested this item ✅ successfully on b05765d This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/8445. |
I was resolving the conflict, then I saw the missing |
This is removed in 3.6.4 to avoid registations over the wrong way. 3.7.0-dev branch is not updated with this change as staging is now 3.7.-dev |
Won't it break b/c for components redirecting/submitting to that task for registration? |
Yes. But it was the decision of the JSST to remove that method as it is not used anymore and was never correctly implemented. |
…/staging into checktoken
@zero-24 Thanks for clarification. I have updated my branch to latest staging hence resolved the conflicts. |
Thanks everybody for making this to this point 👍 I think this should followed up by some documentation update. Please advise where can I do that. |
@izharaazmi can you do the same for all other token dies (where applies) so we have a consistent core? There a lot of
|
@andrepereiradasilva Sure, hope to see it this Monday! Btw, I'm having 152 occurrences. Please do let me know if you find more. |
This comment was marked as abuse.
This comment was marked as abuse.
@andrepereiradasilva I have made the required changes. Please test the other PR at your convenience. |
* The session token validation implementation currently gives an empty white screen with "Invalid token" text. This is total uninformative to a normal user. This update implicitly redirects to the previous page if the token is not valid. To prevent implicit redirect pass `false` as the second argument to `JSession::validateToken()` To make use of this method we need to replace any occurrence of `JSession::checkToken('post') or jexit(JText::_('JINVALID_TOKEN'));` with `JSession::validateToken('post');` Example is set up in com_users > login method. * Moved the checkToken method to JControllerLegacy as it is the more closer context to the usage. This allows implicit redirect to the REFERER page in case of token mismatch. In all other case it is same as calling JSession::checkToken() directly. Changes made in the frontend components to make this change test-able. Note: We intend to discourage the `die` usage everywhere which leads the the said uninformative white page. * Fix wrong function call * use automatic since tag macro Thanks @andrepereiradasilva
The session token validation implementation in various controller methods currently gives an empty white screen with "Invalid token" text. This is total uninformative to a normal user.
This update implicitly redirects to the previous page if the token is not valid. To prevent implicit redirect pass
false
as the second argument toJSession::validateToken()
$this->checkToken()
from theJControllerLegacy
controller instance.To make use of this method we need to replace any occurrence of
JSession::checkToken('post') or jexit(JText::_('JINVALID_TOKEN'));
withJSession::validateToken('post');
$this->checkToken();
Summary of Changes
JSession
class and put it in the closer context of its application viz.JControllerLegacy
.$this->checkToken()
and the redirection shall be handled implicitly. Implicit redirection is done to the referrer (calling) page always.$this->checkToken
like:or even directly call the current
JSession::checkToken
(without the die part) like:This will skip the implicit redirection and return false if the token does not match. Then the necessary
if - else
may be implemented as needed.Test Instruction
To see the effect the respective forms should be submitted after manipulating the token input in the form so as to trigger invalid token situation. This can usually be done by selecting in the browser "inspect element" (or similar) and modify the DOM.
If the token is valid (not manipulated or expired), everything should be working as usual without any difference.
The necessary changes are made in the front-end which should be tested:
com_users
component try to register a new user, login, logout, remind username, reset password, save user profile.com_contact
submit the contact form to send an email.com_content
submit a vote.EDIT June 26, 2016:
Added Summary of changes and Test Instructions based on the new changes.