[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security Advisory Update (XSRF issues)
- Subject: Re: Security Advisory Update (XSRF issues)
- From: Luke <..hidden..>
- Date: Thu, 28 Jan 2010 13:03:42 -0500 (EST)
On Thu, 28 Jan 2010, Chris Travers wrote:
> On Thu, Jan 28, 2010 at 9:34 AM, Pete Houston <..hidden..> wrote:
>
> > On Thu, Jan 28, 2010 at 09:08:57AM -0800, Chris Travers wrote:
> > > 3) When a session times out, the associated forms will be lost.
> >
> > That doesn't sound so good, I have to say. At present it is merely
> > annoying when one forgets to post a form (because it is rare and when
> > it happens it is the user's fault and I learn from my mistakes), but if
> > one were part-way through completing a form and for the system then not
> > to allow it to be posted and for that assembled data in the form to be
> > lost sounds a lot more disruptive to me because there's nothing the user
> > has done wrong.
>
> That isn't quite the plan.
>
> The sessions in 1.3 can be timed out safely at longer values (say one hour)
> and this times out form values and transaction locks for batch payments.
>
> If the form is submitted after that, it merely updates with a warning and
> you have to hit post again. However the data would remain the same. There
> is an issue with automation scripts but there are some solutions to that.
For the record, I understood your point 3 as saying what he understood it
to be saying.
So what will actually happen, is that the form will be submitted, the user
will be re-authenticated, and the form will be represented sans posting,
at which point it could be resubmitted?
Luke