Roundup Tracker - Issues


Author rouilj
Recipients rouilj, schlatterbeck
Date 2017-10-20.23:44:06
Message-id <>
Hi Ralf:

Ok, you have pinpointed the problem in my csrf code. It's probably
the commit's I am doing when creating the nonce or deleting the nonce 
after it is used in the templating frontend.
I thought those code paths were run and committed before the data was 
processed from the web interface.

I wonder if the problem happens when I generate the new nonce
for the reply the user. Maybe if a reject is raised, the database
session holds the rejected data and when I commit the nonce, I also
commit the rejected data?

Having a different session only for OTK/nonce db table updates
sounds like a good way to separate the two flows.

Alternatively if it is the commit for the creation of the new OTK,
maybe that creation and commit could be moved before any of the user 
data is processed.

-- rouilj
Date User Action Args
2017-10-20 23:44:07rouiljsetmessageid: <>
2017-10-20 23:44:07rouiljsetrecipients: + rouilj, schlatterbeck
2017-10-20 23:44:07rouiljlinkissue2550955 messages
2017-10-20 23:44:06rouiljcreate