[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security Advisory Update (XSRF issues)

On Thu, 28 Jan 2010, Chris Travers wrote:

> On Thu, Jan 28, 2010 at 9:34 AM, Pete Houston <..hidden..> wrote:
> > On Thu, Jan 28, 2010 at 09:08:57AM -0800, Chris Travers wrote:
> > > 3)  When a session times out, the associated forms will be lost.
> >
> > That doesn't sound so good, I have to say. At present it is merely
> > annoying when one forgets to post a form (because it is rare and when
> > it happens it is the user's fault and I learn from my mistakes), but if
> > one were part-way through completing a form and for the system then not
> > to allow it to be posted and for that assembled data in the form to be
> > lost sounds a lot more disruptive to me because there's nothing the user
> > has done wrong.
> That isn't quite the plan.
> The sessions in 1.3 can be timed out safely at longer values (say one hour)
> and this times out form values and transaction locks for batch payments.
> If the form is submitted after that, it merely updates with a warning and
> you have to hit post again.  However the data would remain the same.  There
> is an issue with automation scripts but there are some solutions to that.

For the record, I understood your point 3 as saying what he understood it 
to be saying.

So what will actually happen, is that the form will be submitted, the user 
will be re-authenticated, and the form will be represented sans posting, 
at which point it could be resubmitted?