Modify ↓
Opened 9 years ago
Last modified 9 years ago
#12345 new defect
Conflicting form cookies on simultaneous first requests with same browser
| Reported by: | pano | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | general | Version: | |
| Severity: | normal | Keywords: | |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
Steps to reproduce:
- Open a new browser session.
- For example a new private Firefox window or incognito Chrome window.
- Open two tabs with a Trac form at the same time.
- For example put http://trac.edgewall.org/demo-1.1/prefs in a bookmark toolbar and quickly open it twice with Ctrl+Click before the first tab is loaded.
- More realistic example: Put all your favorite Trac pages that you need every day in a bookmark folder and Open All in Tabs.
- Submit both forms.
Expected behavior: Both form submissions succeed.
Observed behavior: One of the form submissions will fail with the error message Missing or invalid form token. Do you have cookies enabled?.
Maybe this sounds like a duplicate of many other tickets, but I have not seen this exact problem. As far as I understand, this is not a misconfiguration or a browser bug, but an inherent limitation of the cookie / form parameter mechanism:
- When opening a new browser session the secure cookie
trac_form_tokenis not yet known. - Opening multiple Trac tabs simultaneously without this cookie, the server generates new tokens for each request.
- The browser receives these tokens, but only keeps the cookie from one of those responses!
- The tokens embedded in the HTML of the other responses do not match that cookie value.
Attachments (0)
Note:
See TracTickets
for help on using tickets.
Perhaps instead of the error we could regenerate the exact same page from before the submission but with an updated form token, and a notice saying "please resubmit". Not sure if it's easily doable in a robust and systematic way.