#5637 closed defect (fixed)
"Missing or invalid form token"
| Reported by: | Owned by: | Jonas Borgström | |
|---|---|---|---|
| Priority: | normal | Milestone: | 0.11.1 |
| Component: | ticket system | Version: | 0.11-stable |
| Severity: | major | Keywords: | |
| Cc: | daniel@… | Branch: | |
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
Whenever I try to accept a ticket, I get "Missing or invalid form token. Do you have cookies enabled?"
I do have cookies enabled.
Some hacked in tracing reveals that req.args.get('__FORM_TOKEN') is None and in fact req.args contains only {'id': u'83'} (83 is the ticket number)
Attachments (0)
Change History (31)
comment:1 by , 17 years ago
| Severity: | blocker → major |
|---|
comment:2 by , 17 years ago
comment:3 by , 17 years ago
Interestingly, I just got the same message when trying to submit this ticket. I thought it was an 0.11-specific issue, but I guess not.
comment:4 by , 17 years ago
| Cc: | added |
|---|---|
| Resolution: | → invalid |
| Status: | new → closed |
This is actually a different problem entirely. trachacks:TracForgePlugin is eating up all my POST data. We plan to submit a separate ticket with a patch to Trac that makes this less likely to be a problem. The fix to Tracforge is more complicated, we think.
comment:5 by , 16 years ago
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
Ok, I thought it was an authentication issue with Safari, but even without authenticating on t.e.o. I bumped into this issue without even being authenticated (I got used to get it: about once out of 3 or 4 tries when I add a comment on t.e.o.)
There's definitely something wrong with cookie management.
I'm not sure how to reproduce this error, but it bites me too many times a week on t.e.o.
A typical way to trigger the error on t.e.o. (but not 100% reproducible):
- to browse t.e.o. not being logged,
- type some comments into a ticket
- log in (I always forget to log in…)
- re-type the comments
- submit or preview
This is likely to trigger the error with the latest (3.1.1 and previous) releases of Safari on Mac.
Once the first error occurrence is circumvented and as long as Safari runs, the error does not seem to appear anymore.
comment:6 by , 16 years ago
| Version: | devel → 0.11-stable |
|---|
comment:7 by , 16 years ago
FWIW, this problem is not Safari-specific; I was using FireFox all the times when I saw it.
comment:9 by , 16 years ago
Steps to reproduce:
- edit a ticket as anonymous, preview to comment, keep the tab opened
- in another tab, log in that Trac
- back to the first tab, Submit
The above procedure worked when using FF3 (the above "check") comment:8, but produced a Missing or invalid form token error when using Safari 3.1.2.
comment:12 by , 16 years ago
Same issue with Opera 9.27, and ie7. It apparently didn't happen with FF 2 and Opera 9.51 (comment:10 and comment:11).
comment:13 by , 16 years ago
| Milestone: | → 0.11.1 |
|---|
Though it appears to be browser specific, there's maybe something that can be done about this (no idea what at this point).
I'm tentatively scheduling this for 0.11.1 so it doesn't get lost.
comment:15 by , 16 years ago
Ok, did some further testing, it's not browser specific it seems. The steps described in comment:8 work in safari if we start with the anonymous status obtained after a logout (i.e. we were previously logged in). And that's the situation I had when I tried with FF 3.0. If instead of simply logging out before repeating the steps, I actually exit the program and start fresh, then I also have the issue with Firefox.
comment:16 by , 16 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
This was caused by the cookie path attribute incorrectly being set to instead of '/' for top level trac installations. This led to multiple form_token cookies to be created under certain circumstances causing the cookie validation to fail.
Fixed in [7386].
comment:17 by , 16 years ago
Hey jonas, WikiFormatting#FontStyles :-)
… and of course, congrats for this fix! I had no clue about what could be the cause.
follow-ups: 20 23 comment:18 by , 16 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
I am still getting this issue in [7450]
comment:19 by , 16 years ago
| Milestone: | 0.11.1 → 0.11.2 |
|---|
You have to reopen it for the next milestone
comment:20 by , 16 years ago
| Severity: | major → normal |
|---|
comment:21 by , 16 years ago
| Priority: | high → normal |
|---|---|
| Severity: | normal → major |
comment:22 by , 16 years ago
For the record, the anonymous poster is not me (the original reporter). It's been working for me.
comment:23 by , 16 years ago
| Milestone: | 0.11.2 → 0.11.1 |
|---|---|
| Resolution: | → fixed |
| Status: | reopened → closed |
Since "anonymous" from 2 months ago didn't provide us with the requested additional information, and it's working fine for the original poster (and the rest of us on this Trac), I think we can close it again.
If someone really still has that issue with Trac ≥ 0.11.1, please re-read the whole ticket and provide us with:
- detailed information about your cookies
- a recipe for reproducing the problem
comment:24 by , 16 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
I am using Trac 0.11.2.1 and Bitten version 0.6 r567 and I had missing or invalid form token error message.
I did some debugging and realised that for each requests to save my Bitten Build Configuration (under Admin > Builds > Configuration), it will make two requests, one to get the rendered form and another to get the wikitoolbar.js file.
For each request to my server, it will generate a new form token. The form token for the form will be generated first and then for the wikitoolbar.js file, it will generate another one. Because of this, the form token for the form will always be wrong because the form token in the cookie is the more recent one.
This is caused by the Bitten Clearsilver templates not generating the right URLs for to get the wikitoolbar.js file. I did some manual hacks to fix this. I am not too sure the right way to solve it but maybe some experts here can chip in.
What I did in my manual hacks is to change http://bitten.edgewall.org/browser/trunk/bitten/templates/bitten_config.cs#L110 to something like this:
<script type="text/javascript" src="/chrome/js/wikitoolbar.js"></script>
comment:25 by , 16 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
This seems more like a Bitten issue, and particular an issue related to using Bitten from trunk with Trac 0.11. I'd recommend trying the version of Bitten from branches/experimental/trac-0.11. Don't let the "experimental" stuff throw you off. It's been in use for almost a year now and should probably work better for you.
comment:26 by , 15 years ago
| Milestone: | 0.11.1 → 0.11.7 |
|---|---|
| Resolution: | fixed |
| Status: | closed → reopened |
It is not bitten specific issue. The cookie is regenerated every time a 404 error encountered for a resource that is filtered through Trac request. I experience this with 0.11.2.1 and latest 0.11-dev with tracd demon and missing stylesheet (Trac is imported from SourceForge).
-
web/main.py
285 285 if req.incookie.has_key('trac_form_token'): 286 286 return req.incookie['trac_form_token'].value 287 287 else: 288 print "Cookie regenerated" 289 #import traceback; traceback.print_stack() 288 290 req.outcookie['trac_form_token'] = hex_entropy(24) 289 291 req.outcookie['trac_form_token']['path'] = req.base_path or '/' 290 292 if self.env.secure_cookies:
Serving on 0.0.0.0:8000 view at http://127.0.0.1:8000/ Cookie regenerated 127.0.0.1 - - [16/Jan/2010 16:56:32] "POST /admin/ticket/milestones HTTP/1.1" 400 - 127.0.0.1 - - [16/Jan/2010 16:56:33] "GET /chrome/common/js/search.js HTTP/1.1" 200 - 127.0.0.1 - - [16/Jan/2010 16:56:33] "GET /chrome/common/css/trac.css HTTP/1.1" 200 - 127.0.0.1 - - [16/Jan/2010 16:56:33] "GET /chrome/common/js/trac.js HTTP/1.1" 200 - 127.0.0.1 - - [16/Jan/2010 16:56:33] "GET /chrome/common/js/jquery.js HTTP/1.1" 200 - Cookie regenerated 127.0.0.1 - - [16/Jan/2010 16:56:33] "GET /chrome/site/ha-css/default2.css HTTP/1.1" 404 - 127.0.0.1 - - [16/Jan/2010 16:56:34] "GET /chrome/common/trac_logo_mini.png HTTP/1.1" 200 - Cookie regenerated 127.0.0.1 - - [16/Jan/2010 16:56:35] "GET /chrome/site/ha-css/default2.css HTTP/1.1" 404 - 127.0.0.1 - - [16/Jan/2010 16:56:36] "GET /chrome/common/dots.gif HTTP/1.1" 200 - 127.0.0.1 - - [16/Jan/2010 16:56:36] "GET /chrome/common/topbar_gradient.png HTTP/1.1" 200 -
comment:28 by , 15 years ago
When Trac renders error template, it regenerates form token. Processing starts in web/api.py send_error() on 404 request. This method executes render_template() from web/chrome.py which in line 757 makes simple req.form_token attribute check that in fact is a function call to web/main.py _get_form_token.
The req.incookie looses 'trac_form_token' somewhere on the way and _get_form_token() regenerates it causing "Missing or invalid form token" error on subsequent browser request. It is possible to introduce render_error_template() that exclude any state modifying checks, but it won't help if cookie is lost earlier. Any ideas where this can happen?
comment:29 by , 15 years ago
Well, the problem was in enabled "secure_cookies" option. When it is enabled, cookies are regenerated on every request if the request is not HTTPS. This clears req.form_token field that gets regenerated the next time it is requested from render_template()
While it would still be good to have separate non-obtrusive render_error_template() method, I close this issue and open #8981 that describes this specific case.
comment:30 by , 15 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
Which browser are you using?
Did you check the DB for similar issues?