Fixed Security error message when clicking alert tab
- Thread starter Spartan
- Start date
ghostwolfling
Member
Bump.
My users tell me this often happens on mobile devices, when they're moving on the public transport, switching between 3g/public wifi constantly.
Couldn't reproduce it myself in my office, but still.
Never happened with xF 1.x.
Can I do something with it?
My users tell me this often happens on mobile devices, when they're moving on the public transport, switching between 3g/public wifi constantly.
Couldn't reproduce it myself in my office, but still.
Never happened with xF 1.x.
Can I do something with it?
Lukas W.
Well-known member
I think this happened to me after I let Chrome reopen a tab that I had opened like an hour ago, so the page was loaded from the cache instead of from the server. Either way, the thing that comes to my mind is that the security token that is used to verify the ajax call might simply expired, because you were inactive for too long.
Dnyan
Well-known member
Sometimes i too get this error, refreshing page do solve the issue.
This happens at my and xF site too.
Case page is open in browser u minimize it for some time due to any reason.
When you come back, and open browser
Page loads automatically from cache and update alert area too by connecting server.
When i see alert on cache load page and i click on it, i get security error.
I use max time on android phone and this is what i experianced about this issue.
This happens at my and xF site too.
Case page is open in browser u minimize it for some time due to any reason.
When you come back, and open browser
Page loads automatically from cache and update alert area too by connecting server.
When i see alert on cache load page and i click on it, i get security error.
I use max time on android phone and this is what i experianced about this issue.
Sandman RSS Feed
Member
I've merged the second report into the original one.
Unfortunately, I haven't actually reproduced this, though I know Chris has managed to see it once or twice (though not on desktop).
The CSRF token system is different in XF2. It's not tied to your account any longer, but just a cookie. Provided you have a CSRF cookie, all subsequent pages/tabs should use that. So I'm not actually seeing why this would happen, unless cookies are getting manipulated. (Loading a page from cache without hitting the server in a new browser session could also do it I suppose, because presumably you wouldn't have a cookie then, though that should certainly be an edge case. Ideally, if a browser is loading from cache, it should really be maintaining session cookies as well.)
Unfortunately, I haven't actually reproduced this, though I know Chris has managed to see it once or twice (though not on desktop).
The CSRF token system is different in XF2. It's not tied to your account any longer, but just a cookie. Provided you have a CSRF cookie, all subsequent pages/tabs should use that. So I'm not actually seeing why this would happen, unless cookies are getting manipulated. (Loading a page from cache without hitting the server in a new browser session could also do it I suppose, because presumably you wouldn't have a cookie then, though that should certainly be an edge case. Ideally, if a browser is loading from cache, it should really be maintaining session cookies as well.)
Snog
Well-known member
I got this error on an Android phone using the Chrome browser.
It happened after I had shut down the browser, and turned off the phone. When I turned the phone back on and opened Chrome the next day, there was an alert and I got the security error message when I clicked on it.
I'm thinking Cookies
It happened after I had shut down the browser, and turned off the phone. When I turned the phone back on and opened Chrome the next day, there was an alert and I got the security error message when I clicked on it.
I'm thinking Cookies
Fethi.dz
Well-known member
I tried to reproduce the error on my iPhone running IOS 11.1
1. I kept the browser tab open (xenforo.com/community) an I kept my account logged in
2. I went to the settings > Saffari > Advanced > Website Data
3. From there I deleted (xenforo.com) and I went back to my safari browser where I left the community tab open.
4. Now click on the notification or inbox tab and VOILA the security error windows will appears.
The question is, is xenforo cookies have a time limit so if some one left the browser open and come back after some hours will see that error since the coockies been deleted during the time limit ???!!!
1. I kept the browser tab open (xenforo.com/community) an I kept my account logged in
2. I went to the settings > Saffari > Advanced > Website Data
3. From there I deleted (xenforo.com) and I went back to my safari browser where I left the community tab open.
4. Now click on the notification or inbox tab and VOILA the security error windows will appears.
The question is, is xenforo cookies have a time limit so if some one left the browser open and come back after some hours will see that error since the coockies been deleted during the time limit ???!!!
Attachments
I've tried to make some changes here such that if the CSRF cookie doesn't exist (when the page is loaded), we will try to get one. Let us know if you run into this with RC2 or after.
If this doesn't resolve the issue, then I'd have to guess that the cookie isn't actually being stored as expected though I can't see why that would really happen.
If this doesn't resolve the issue, then I'd have to guess that the cookie isn't actually being stored as expected though I can't see why that would really happen.
Similar threads
- Question
- Question
