Opened 17 years ago
Last modified 7 years ago
#4560 new defect
IE7 Missing or invalid form token. Do you have cookies enabled? — at Version 16
Reported by: | anonymous | Owned by: | Jonas Borgström |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | general | Version: | 0.10.3 |
Severity: | major | Keywords: | iexplorer underscore sspi |
Cc: | karmadude@…, gt4329b@…, ewalstad@…, dfriberg23@… | Branch: | |
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description (last modified by )
I am getting the following error while trying to submit settings on IE7
Missing or invalid form token. Do you have cookies enabled?
Works ok in firefox.
Change History (16)
comment:1 by , 17 years ago
Milestone: | 0.10.4 |
---|---|
Severity: | blocker → critical |
comment:2 by , 17 years ago
comment:3 by , 17 years ago
Milestone: | → 0.10.4 |
---|
Here my part of my Apache configuration
# Trac Testproject <LocationMatch "/trac/testproject/login"> AuthType SSPI AuthName "Trac - TestProject" SSPIAuth On SSPIBasicPreferred On SSPIAuthoritative On SSPIDomain <domaincontroller> SSPIOfferBasic On SSPIOmitDomain On SSPIUsernameCase upper Require user SCM_ADMIN Require group DEVEL-NET\Extern VMT\Domänen-Benutzer # Require valid-user </LocationMatch>
comment:4 by , 17 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
The problem is coming from mod_auth_sspi 1.0.4. When I switch back to basic auth it works with all browsers. -there should be a problem with the POST sending. How or who can solve the problem?
comment:5 by , 17 years ago
Resolution: | fixed |
---|---|
Status: | closed → reopened |
comment:6 by , 17 years ago
Milestone: | 0.10.4 |
---|---|
Resolution: | → wontfix |
Status: | reopened → closed |
follow-up: 8 comment:7 by , 17 years ago
follow-up: 9 comment:8 by , 17 years ago
Milestone: | → 0.10.4 |
---|---|
Resolution: | wontfix |
Status: | closed → reopened |
Replying to eblot:
Probable duplicate of #2826 / #2696 / #1168.
Error message has changed due to the implementation changes, but the root cause is probably the same: IE + SSPI.
Then why does it work with IE6? The problem is only with IE7. I have SSPIBasicPreferred On and that works ok in IE6. So I am still not hearing how to fix this issue or work around it. Any information would be very helpful, thanks.
comment:9 by , 17 years ago
Milestone: | 0.10.4 |
---|
follow-ups: 11 12 comment:10 by , 17 years ago
Milestone: | → 0.11 |
---|
I think I have narrowed this issue down. It might be a case sensitivity issue with the username.
Example:
Domain: TESTDOMAIN username: johndoe username in database: testdomain\johndoe
in trac.ini I have ignore_auth_case = true
In the first test case I logged in as johndoe, and everything worked fine. The username displayed after login is testdomain\johndoe
In the second test case I logged in as TESTDOMAIN\johndoe, and this time I started getting the error when posting.
This is not an SSPI issue, there is some inherent username case sensitivity issue with the trac code. The reason this is showing up in IE7 is because IE7 by default will log you in automatically using your domain informaion. This domain information might be Uppercase or lowercase.
I feel trac should not be case sensitive when it comes to the same username. There needs to be a system wide check for this.
A similar bug exits in auth.py _do_Login
follow-up: 13 comment:11 by , 17 years ago
Replying to karmadude@gmail.com:
I think I have narrowed this issue down. It might be a case sensitivity issue with the username.
So this ticket should be closed as a dup of your ticket #4561, shouldn't it ?
See also #2310.
follow-up: 14 comment:12 by , 17 years ago
Replying to karmadude@gmail.com:
I feel trac should not be case sensitive when it comes to the same username. There needs to be a system wide check for this.
RFC 2617, which deals with HTTP authentication, states that Userids might be case sensitive. (section 2)
Therefore, I do not think Trac should always be case-insensitive, especially if it is about creating just-another-Windows-workaround ;-)
It does not prevent from adding an option for such environment, but this should not be a hard-coded "feature".
comment:13 by , 17 years ago
Replying to eblot:
Replying to karmadude@gmail.com:
I think I have narrowed this issue down. It might be a case sensitivity issue with the username.
So this ticket should be closed as a dup of your ticket #4561, shouldn't it ?
See also #2310.
Seems to be caused by the same problem, I will let you guys figure it out, unless you want to decide on my hunch!
I had a look at #2310, looks too hacked up, I rather have a elegant solution from you.
comment:14 by , 17 years ago
Replying to eblot:
Replying to karmadude@gmail.com:
I feel trac should not be case sensitive when it comes to the same username. There needs to be a system wide check for this.
RFC 2617, which deals with HTTP authentication, states that Userids might be case sensitive. (section 2)
Therefore, I do not think Trac should always be case-insensitive, especially if it is about creating just-another-Windows-workaround ;-)
It does not prevent from adding an option for such environment, but this should not be a hard-coded "feature".
That looks like a spec from 1999, pretty ancient from my perspective. Have you ever tried logging into like yahoo or gmail? The usernames are always case in-sensitive, while passwords are case sensitive.
It makes total sense for the password to be case-sensitive as it's state does not go beyond authentication. On the other hand, the username has more usage beyond authentication. So the spec does not take into consideration the usability of a username and the problems a case sensitive username causes. For a smart program, john doe, JOHN DOE, John Doe, is all the same user. That's the point I am trying to make, and trac should have the logic in place to make that distinction. It can still be case sensitive.
comment:15 by , 17 years ago
Keywords: | iexplorer7 added; IE7 removed |
---|
comment:16 by , 17 years ago
Description: | modified (diff) |
---|---|
Milestone: | 0.11 → 0.10.4 |
Priority: | highest → high |
Severity: | critical → major |
Works also for me in IE6 (and Firefox) before. I use mod_sspi for authentication. May be this is the problem?