IE7 Missing or invalid form token. Do you have cookies enabled?

[anonymous]

I am getting the following error while trying to submit settings on IE7

Missing or invalid form token. Do you have cookies enabled?

Works ok in firefox.

[jl]

Works also for me in IE6 (and Firefox) before. I use mod_sspi for authentication. May be this is the problem?

[jl]

Here my part of my Apache configuration

# Trac Testproject 
<LocationMatch "/trac/testproject/login"> 
  AuthType SSPI
  AuthName "Trac - TestProject"
  SSPIAuth On
  SSPIBasicPreferred On
  SSPIAuthoritative On
  SSPIDomain <domaincontroller>
  SSPIOfferBasic On 
  SSPIOmitDomain On
  SSPIUsernameCase upper
  Require user SCM_ADMIN
  Require group DEVEL-NET\Extern VMT\Domänen-Benutzer
#  Require valid-user
</LocationMatch>

[jl]

The problem is coming from mod_auth_sspi 1.0.4. When I switch back to basic auth it works with all browsers. -there should be a problem with the POST sending. How or who can solve the problem?

[Emmanuel Blot]

Probable duplicate of #2826 / #2696 / #1168.

Error message has changed due to the implementation changes, but the root cause is probably the same: IE + SSPI.

[anonymous]

Replying to eblot:

Probable duplicate of #2826 / #2696 / #1168.

Error message has changed due to the implementation changes, but the root cause is probably the same: IE + SSPI.

Then why does it work with IE6? The problem is only with IE7. I have SSPIBasicPreferred On and that works ok in IE6. So I am still not hearing how to fix this issue or work around it. Any information would be very helpful, thanks.

[karmadude@…]

I think I have narrowed this issue down. It might be a case sensitivity issue with the username.

Example:

Domain: TESTDOMAIN username: johndoe username in database: testdomain\johndoe

in trac.ini I have ignore_auth_case = true

In the first test case I logged in as johndoe, and everything worked fine. The username displayed after login is testdomain\johndoe

In the second test case I logged in as TESTDOMAIN\johndoe, and this time I started getting the error when posting.

This is not an SSPI issue, there is some inherent username case sensitivity issue with the trac code. The reason this is showing up in IE7 is because IE7 by default will log you in automatically using your domain informaion. This domain information might be Uppercase or lowercase.

I feel trac should not be case sensitive when it comes to the same username. There needs to be a system wide check for this.

A similar bug exits in auth.py _do_Login

[Emmanuel Blot]

Replying to karmadude@gmail.com:

I think I have narrowed this issue down. It might be a case sensitivity issue with the username.

So this ticket should be closed as a dup of your ticket #4561, shouldn't it ?

See also #2310.

[Emmanuel Blot]

Replying to karmadude@gmail.com:

I feel trac should not be case sensitive when it comes to the same username. There needs to be a system wide check for this.

​RFC 2617, which deals with HTTP authentication, states that Userids might be case sensitive. (section 2)

Therefore, I do not think Trac should always be case-insensitive, especially if it is about creating just-another-Windows-workaround ;-)

It does not prevent from adding an option for such environment, but this should not be a hard-coded "feature".

[anonymous]

Replying to eblot:

Replying to karmadude@gmail.com:

I think I have narrowed this issue down. It might be a case sensitivity issue with the username.

So this ticket should be closed as a dup of your ticket #4561, shouldn't it ?

See also #2310.

Seems to be caused by the same problem, I will let you guys figure it out, unless you want to decide on my hunch!

I had a look at #2310, looks too hacked up, I rather have a elegant solution from you.

[anonymous]

Replying to eblot:

Replying to karmadude@gmail.com:

I feel trac should not be case sensitive when it comes to the same username. There needs to be a system wide check for this.

​RFC 2617, which deals with HTTP authentication, states that Userids might be case sensitive. (section 2)

Therefore, I do not think Trac should always be case-insensitive, especially if it is about creating just-another-Windows-workaround ;-)

It does not prevent from adding an option for such environment, but this should not be a hard-coded "feature".

That looks like a spec from 1999, pretty ancient from my perspective. Have you ever tried logging into like yahoo or gmail? The usernames are always case in-sensitive, while passwords are case sensitive.

It makes total sense for the password to be case-sensitive as it's state does not go beyond authentication. On the other hand, the username has more usage beyond authentication. So the spec does not take into consideration the usability of a username and the problems a case sensitive username causes. For a smart program, john doe, JOHN DOE, John Doe, is all the same user. That's the point I am trying to make, and trac should have the logic in place to make that distinction. It can still be case sensitive.