Message6040
Hi Ralf:
Ok, you have pinpointed the problem in my csrf code. It's probably
the commit's I am doing when creating the nonce or deleting the nonce
after it is used in the templating frontend.
I thought those code paths were run and committed before the data was
processed from the web interface.
I wonder if the problem happens when I generate the new nonce
for the reply the user. Maybe if a reject is raised, the database
session holds the rejected data and when I commit the nonce, I also
commit the rejected data?
Having a different session only for OTK/nonce db table updates
sounds like a good way to separate the two flows.
Alternatively if it is the commit for the creation of the new OTK,
maybe that creation and commit could be moved before any of the user
data is processed.
-- rouilj |
|
Date |
User |
Action |
Args |
2017-10-20 23:44:07 | rouilj | set | messageid: <1508543047.22.0.213398074469.issue2550955@psf.upfronthosting.co.za> |
2017-10-20 23:44:07 | rouilj | set | recipients:
+ rouilj, schlatterbeck |
2017-10-20 23:44:07 | rouilj | link | issue2550955 messages |
2017-10-20 23:44:06 | rouilj | create | |
|