Edgewall Software
Modify

Opened 17 years ago

Closed 14 years ago

Last modified 4 years ago

#5637 closed defect (fixed)

"Missing or invalid form token"

Reported by: Dave Abrahams <dave@…> Owned by: Jonas Borgström
Priority: normal Milestone: 0.11.1
Component: ticket system Version: 0.11-stable
Severity: major Keywords:
Cc: daniel@… Branch:
Release Notes:
API Changes:
Internal Changes:

Description

Whenever I try to accept a ticket, I get "Missing or invalid form token. Do you have cookies enabled?"

I do have cookies enabled.

Some hacked in tracing reveals that req.args.get('__FORM_TOKEN') is None and in fact req.args contains only {'id': u'83'} (83 is the ticket number)

Attachments (0)

Change History (31)

comment:1 by Emmanuel Blot, 17 years ago

Severity: blockermajor

Which browser are you using?

Did you check the DB for similar issues?

comment:2 by Dave Abrahams <dave@…>, 17 years ago

Firefox 2.0, and no, sorry, I didn't check. I assumed it was a new thing. Looking around, there are several similar: #4560, #4084, #4979 are the open ones.

comment:3 by Dave Abrahams <dave@…>, 17 years ago

Interestingly, I just got the same message when trying to submit this ticket. I thought it was an 0.11-specific issue, but I guess not.

comment:4 by Dave Abrahams <dave@…>, 17 years ago

Cc: daniel@… added
Resolution: invalid
Status: newclosed

This is actually a different problem entirely. trachacks:TracForgePlugin is eating up all my POST data. We plan to submit a separate ticket with a patch to Trac that makes this less likely to be a problem. The fix to Tracforge is more complicated, we think.

comment:5 by Emmanuel Blot, 16 years ago

Resolution: invalid
Status: closedreopened

Ok, I thought it was an authentication issue with Safari, but even without authenticating on t.e.o. I bumped into this issue without even being authenticated (I got used to get it: about once out of 3 or 4 tries when I add a comment on t.e.o.)

There's definitely something wrong with cookie management.

I'm not sure how to reproduce this error, but it bites me too many times a week on t.e.o.
A typical way to trigger the error on t.e.o. (but not 100% reproducible):

  1. to browse t.e.o. not being logged,
  2. type some comments into a ticket
  3. log in (I always forget to log in…)
  4. re-type the comments
  5. submit or preview

This is likely to trigger the error with the latest (3.1.1 and previous) releases of Safari on Mac.

Once the first error occurrence is circumvented and as long as Safari runs, the error does not seem to appear anymore.

comment:6 by anonymous, 16 years ago

Version: devel0.11-stable

comment:7 by Dave Abrahams <dave@…>, 16 years ago

FWIW, this problem is not Safari-specific; I was using FireFox all the times when I saw it.

comment:8 by Christian Boos, 16 years ago

check

comment:9 by Christian Boos, 16 years ago

Steps to reproduce:

  • edit a ticket as anonymous, preview to comment, keep the tab opened
  • in another tab, log in that Trac
  • back to the first tab, Submit

The above procedure worked when using FF3 (the above "check") comment:8, but produced a Missing or invalid form token error when using Safari 3.1.2.

comment:10 by Christian Boos, 16 years ago

check (FF 2.0.0.14)

comment:11 by Christian Boos, 16 years ago

check (opera 9.51)

comment:12 by Christian Boos, 16 years ago

Same issue with Opera 9.27, and ie7. It apparently didn't happen with FF 2 and Opera 9.51 (comment:10 and comment:11).

comment:13 by Christian Boos, 16 years ago

Milestone: 0.11.1

Though it appears to be browser specific, there's maybe something that can be done about this (no idea what at this point).

I'm tentatively scheduling this for 0.11.1 so it doesn't get lost.

comment:14 by Christian Boos, 16 years ago

check again (safari 3.1.2)

comment:15 by Christian Boos, 16 years ago

Ok, did some further testing, it's not browser specific it seems. The steps described in comment:8 work in safari if we start with the anonymous status obtained after a logout (i.e. we were previously logged in). And that's the situation I had when I tried with FF 3.0. If instead of simply logging out before repeating the steps, I actually exit the program and start fresh, then I also have the issue with Firefox.

comment:16 by Jonas Borgström, 16 years ago

Resolution: fixed
Status: reopenedclosed

This was caused by the cookie path attribute incorrectly being set to instead of '/' for top level trac installations. This led to multiple form_token cookies to be created under certain circumstances causing the cookie validation to fail.

Fixed in [7386].

comment:17 by Christian Boos, 16 years ago

Hey jonas, WikiFormatting#FontStyles :-)

… and of course, congrats for this fix! I had no clue about what could be the cause.

comment:18 by anonymous, 16 years ago

Resolution: fixed
Status: closedreopened

I am still getting this issue in [7450]

comment:19 by anonymous, 16 years ago

Milestone: 0.11.10.11.2

You have to reopen it for the next milestone

in reply to:  18 comment:20 by Jonas Borgström, 16 years ago

Severity: majornormal

Replying to anonymous:

I am still getting this issue in [7450]

We'll need some more information on how to reproduce this. As far as I can recall I've never seen this since [7386].

Do you have any reliable way to reproduce this?

comment:21 by Jonas Borgström, 16 years ago

Priority: highnormal
Severity: normalmajor

comment:22 by dave@…, 16 years ago

For the record, the anonymous poster is not me (the original reporter). It's been working for me.

in reply to:  18 comment:23 by Christian Boos, 15 years ago

Milestone: 0.11.20.11.1
Resolution: fixed
Status: reopenedclosed

Since "anonymous" from 2 months ago didn't provide us with the requested additional information, and it's working fine for the original poster (and the rest of us on this Trac), I think we can close it again.

If someone really still has that issue with Trac ≥ 0.11.1, please re-read the whole ticket and provide us with:

  • detailed information about your cookies
  • a recipe for reproducing the problem

comment:24 by cheeming@…, 15 years ago

Resolution: fixed
Status: closedreopened

I am using Trac 0.11.2.1 and Bitten version 0.6 r567 and I had missing or invalid form token error message.

I did some debugging and realised that for each requests to save my Bitten Build Configuration (under Admin > Builds > Configuration), it will make two requests, one to get the rendered form and another to get the wikitoolbar.js file.

For each request to my server, it will generate a new form token. The form token for the form will be generated first and then for the wikitoolbar.js file, it will generate another one. Because of this, the form token for the form will always be wrong because the form token in the cookie is the more recent one.

This is caused by the Bitten Clearsilver templates not generating the right URLs for to get the wikitoolbar.js file. I did some manual hacks to fix this. I am not too sure the right way to solve it but maybe some experts here can chip in.

What I did in my manual hacks is to change http://bitten.edgewall.org/browser/trunk/bitten/templates/bitten_config.cs#L110 to something like this:

     <script type="text/javascript" src="/chrome/js/wikitoolbar.js"></script>

comment:25 by ebray, 15 years ago

Resolution: fixed
Status: reopenedclosed

This seems more like a Bitten issue, and particular an issue related to using Bitten from trunk with Trac 0.11. I'd recommend trying the version of Bitten from branches/experimental/trac-0.11. Don't let the "experimental" stuff throw you off. It's been in use for almost a year now and should probably work better for you.

comment:26 by anatoly techtonik <techtonik@…>, 14 years ago

Milestone: 0.11.10.11.7
Resolution: fixed
Status: closedreopened

It is not bitten specific issue. The cookie is regenerated every time a 404 error encountered for a resource that is filtered through Trac request. I experience this with 0.11.2.1 and latest 0.11-dev with tracd demon and missing stylesheet (Trac is imported from SourceForge).

  • web/main.py

     
    285285        if req.incookie.has_key('trac_form_token'):
    286286            return req.incookie['trac_form_token'].value
    287287        else:
     288            print "Cookie regenerated"
     289            #import traceback; traceback.print_stack()
    288290            req.outcookie['trac_form_token'] = hex_entropy(24)
    289291            req.outcookie['trac_form_token']['path'] = req.base_path or '/'
    290292            if self.env.secure_cookies:
Serving on 0.0.0.0:8000 view at http://127.0.0.1:8000/
Cookie regenerated
127.0.0.1 - - [16/Jan/2010 16:56:32] "POST /admin/ticket/milestones HTTP/1.1" 400 -
127.0.0.1 - - [16/Jan/2010 16:56:33] "GET /chrome/common/js/search.js HTTP/1.1" 200 -
127.0.0.1 - - [16/Jan/2010 16:56:33] "GET /chrome/common/css/trac.css HTTP/1.1" 200 -
127.0.0.1 - - [16/Jan/2010 16:56:33] "GET /chrome/common/js/trac.js HTTP/1.1" 200 -
127.0.0.1 - - [16/Jan/2010 16:56:33] "GET /chrome/common/js/jquery.js HTTP/1.1" 200 -
Cookie regenerated
127.0.0.1 - - [16/Jan/2010 16:56:33] "GET /chrome/site/ha-css/default2.css HTTP/1.1" 404 -
127.0.0.1 - - [16/Jan/2010 16:56:34] "GET /chrome/common/trac_logo_mini.png HTTP/1.1" 200 -
Cookie regenerated
127.0.0.1 - - [16/Jan/2010 16:56:35] "GET /chrome/site/ha-css/default2.css HTTP/1.1" 404 -
127.0.0.1 - - [16/Jan/2010 16:56:36] "GET /chrome/common/dots.gif HTTP/1.1" 200 -
127.0.0.1 - - [16/Jan/2010 16:56:36] "GET /chrome/common/topbar_gradient.png HTTP/1.1" 200 -

comment:27 by anatoly techtonik <techtonik@…>, 14 years ago

FWIW, the user is anonymous with ADMIN privileges.

comment:28 by anatoly techtonik <techtonik@…>, 14 years ago

When Trac renders error template, it regenerates form token. Processing starts in web/api.py send_error() on 404 request. This method executes render_template() from web/chrome.py which in line 757 makes simple req.form_token attribute check that in fact is a function call to web/main.py _get_form_token.

The req.incookie looses 'trac_form_token' somewhere on the way and _get_form_token() regenerates it causing "Missing or invalid form token" error on subsequent browser request. It is possible to introduce render_error_template() that exclude any state modifying checks, but it won't help if cookie is lost earlier. Any ideas where this can happen?

comment:29 by anatoly techtonik <techtonik@…>, 14 years ago

Well, the problem was in enabled "secure_cookies" option. When it is enabled, cookies are regenerated on every request if the request is not HTTPS. This clears req.form_token field that gets regenerated the next time it is requested from render_template()

While it would still be good to have separate non-obtrusive render_error_template() method, I close this issue and open #8981 that describes this specific case.

comment:30 by anatoly techtonik <techtonik@…>, 14 years ago

Resolution: fixed
Status: reopenedclosed

comment:31 by Remy Blank, 14 years ago

Milestone: 0.11.70.11.1

Re-set the milestone (comment:26).

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Jonas Borgström to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.