[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security Advisory Update (XSRF issues)

On Thu, Jan 28, 2010 at 9:34 AM, Pete Houston <..hidden..> wrote:
On Thu, Jan 28, 2010 at 09:08:57AM -0800, Chris Travers wrote:
> 3)  When a session times out, the associated forms will be lost.

That doesn't sound so good, I have to say. At present it is merely
annoying when one forgets to post a form (because it is rare and when
it happens it is the user's fault and I learn from my mistakes), but if
one were part-way through completing a form and for the system then not
to allow it to be posted and for that assembled data in the form to be
lost sounds a lot more disruptive to me because there's nothing the user
has done wrong.

Or have I misunderstood?

That isn't quite the plan.

The sessions in 1.3 can be timed out safely at longer values (say one hour) and this times out form values and transaction locks for batch payments.

If the form is submitted after that, it merely updates with a warning and you have to hit post again.  However the data would remain the same.  There is an issue with automation scripts but there are some solutions to that.

There are a couple multi-user issues which can cause someone to have to abandon lost work in these cases but those are handled safely by the application.

Best Wishes,
Chris Travers