Future fix POST data lost when session expires

Kirby

Well-known member
Affected version
2.0 DP10
Steps to reproduce
  • Log in but uncheck Stay logged in
  • Start a new thread and enter all necessery data (title, message, etc.)
  • Simulate an expired session by deleting cookie xf_xession
  • Submit the form
Expected Result
A login dialog appears, after submitting the login form the thread does get posted and a redirect to the newly posted thread is performed (this is how XF 1.5 works)

Actual Result
A login dialog appears, after submitting the login form an empty create new thread form is being displayed
 
While you're right this is a little different, there's an unfair step here:
Simulate an expired session by deleting cookie xf_xession
This is unlikely to happen due to our keep alive system. Ignoring things like the manual manipulation of the session table (or sessions being wiped from a cache), because of changes here, this is unlikely to happen in comparison to some situations that could trigger it in XF1. There are some things that could theoretically trigger it, but they won't really happen often.

While I will leave this open for now, this is likely more in the enhancement territory than something we'd consider a bug at this point.
 
I strongly disagree that keep alive is enough to prevent such issues, we've seen cookies disappearing to nowhere and JavaScript suddenly stopping to work for no apparent reason since years on vBulletin, we did even add keep-alive calls that didn't help much.

Being able to submit a post, which might have taken several minutes to write, even if cookies and JavaScript fail is absolutely crucial and I consider this a showstopper for us to use XF 2.

Forums are not used as much as they were a couple years ago and we need to take every possible measrue to keep those users there are still using forum as happy as posible, and this especially means that the system must "never" loose their content.
 
Last edited:
I just reproduced this issue without any "tricks":
While being connected to my WLAN on my smartphone I logged in with Stay logged in unchecked.
I started to write a new thread while walking out of the door, as soon as the connection switched from WLAN to 3G I hit submit and got the login dialog with an empty new thread form afterwards, causing all my carefully crafted lorem ipsum text to get lost.

Why did this happen?
Because, by default, you are using a 24 Bit CIDR check to validate the session:
My landline is Vodafone but my smartphone is using T-Mobile, so those are completely different networks.

Now please tell me that this is such an uncommon case that it's not worth to fix that ;)
 
Last edited:
I just reproduced this issue without any "tricks":
While being connected to my WLAN on my smartphone I logged in with Stay logged in unchecked.
I started to write a new thread while walking out of the door, as soon as the connection switched from WLAN to 3G I hit submit and got the login dialog with an empty new thread form afterwards, causing all my carefully crafted lorem ipsum text to get lost.

Why did this happen?
Because, by default, you are using a 24 byte CIDR check to validate the session:
My landline is Vodafone but my smartphone is using T-Mobile, so those are completely different networks.

Now please tell me that this is such an uncommon case that it's not worth to fix that ;)

Something analogous to this can happen without even switching networks.

When I used tethering as my only internet connection, and I was on o2, my IP address would randomly change in a request. My signal hadn't gone, my IP just changed.

Granted, this is a bit unusual (and it broke a lot of things - WHMCS was bloody annoying to use), it isn't impossible.

Liam
 
Can confirm the issue when 'Stay logged in' is not active and you switch from wifi to cellular networks. We don't currently have code to handle this situation, so it's not exactly a bug but rather something that we haven't fully handled yet.
 
Top Bottom