Testing the posting timeout bug

harrrrrry

Starting this post at 10:01:09

… waiting …

Adding some content at 10:08

… waiting …

Adding some more content at 10:24

… waiting …

Attempting to post the message at 10:28 …

Ouch!!!

This annoying design defect is not yet fixed

Presumably this is a Flarum defect, not something that giffgaff’s server is causing?

mrjeeves

harrrrrry

It’s by design.

Alex has explained this many times. The Flarum session token (or maybe CSRF token?) on your browser expires after a set amount of time (probably ₃₀ mins). After this time, the token is not valid and cannot be used for any user-related forum actions, like posting, reading notifications, etc.

It’s like this for the safety of members. If someone had their token stolen, actions could only be performed for 30 mins, rather than forever, which reduces the likelihood that an attacker would be able to permanently compromise someone’s account and perform malicious actions over long periods of time.

In fact the thread just one down on the discussion list is about this exact issue: https://preview.community.giffgaff.com/d/114-oops-something-went-wrong/4

harrrrrry

mrjeeves It’s like this for the safety of members

That’s a very serious misunderstanding if there ever was one.

If it was being done for safety, then the site would ask for my password – the same as most other sites that implement a timeout. And more to the point, there shouldn’t be another less secure way to post the message without needing my password.

What kind of “security” is it that somebody can apparently post an unlimited number of messages on my account, as long as each individual message takes no more than 19 minutes to compose – but a single 21 minute message is too much to post without an error?

What kind of security is it that the way to recover from this supposed “security error” is that my intending imposter should:

copy the message to the clipboard
reload the browser
paste the message in again
and then my imposter is apparently authorised to continue posting for as long as they wish, provided they don’t make the mistake of taking longer than 19 minutes to compose any other message.

mrjeeves

harrrrrry

Most people won’t spend long enough on a discussion page without doing anything else to trigger this.

It’s designed to prevent cross-site request forgery (CSRF) attacks where another site sends a request to the community to perform an action on your behalf.

Any action requires a valid CSRF token to perform an action, and this token is linked to your forum session in the background.

There’s no way to disable this and there’s no reason anyone ever should.

It’s so that, if your CSRF token was stolen, it would only work for 20 mins or so. 20 mins of damage is better than 2 hours or a day. There shouldn’t be any way for the CSRF to be stolen, but things happen.

This is not designed to protect your account from people logging in as you or accessing the forum as you – purely to prevent other sites from attempting to perform actions as you.

harrrrrry

mrjeeves Most people won’t spend long enough on a discussion page without doing anything else to trigger this.

But in what way does 21 minutes of keystrokes constitute “not doing anything”?

OK, so that specific test message had gaps of 4-16 minutes between some of the keystrokes. But the result would have been exactly the same if I’d constantly typed garbage for more than about 21 minutes. The message would still fail to post.

Timeouts are fine provided they’re retriggered by appropriate actions, and typing into a reply message needs to be one of them.

Expired timeouts are fine too, provided they cause a proper dialogue (eg a password prompt) rather than an error message that requires a bodge to recover from.

mrjeeves

harrrrrry

You don’t need to log back in after the token expires. You can also just go back to the community home page, then post your content without any refreshing or copy-pasting.

I do think that typing a reply should not let the token expire, and it’s worth asking the core team if there’s any specific reason that it doesn’t.