Details
Bug
Major
Description
When attempting to log in to Blesta, the session is regenerated each time. However, it should only regenerate on a successful log in.
This has the adverse effect of changing CSRF tokens (because they're based on the session), and so any AJAX requests to log in that do not reload the page are unable to make POST requests because the CSRF token is outdated. This occurs, for instance, on the AJAX/Wizard templates of the Order plugin.
Activity
Tyson Phillips (Inactive)
created issue -
Tyson Phillips (Inactive)
made changes -
| Field | Original Value | New Value |
|---|---|---|
| Sprint | 4.4.0 Sprint 2 [ 70 ] |
Tyson Phillips (Inactive)
made changes -
| Rank | Ranked higher |
Tyson Phillips (Inactive)
made changes -
| Rank | Ranked higher |
Automated transition triggered when Tyson Phillips (Inactive) created a branch in Stash -
| Status | Open [ 1 ] | In Progress [ 3 ] |
Tyson Phillips (Inactive)
made changes -
| Security | Private [ 10000 ] |
Tyson Phillips (Inactive)
made changes -
| Summary | Order: Unable to log in after failure on wizard templates | Order: Unable to log in after failure on wizard/ajax templates |
Tyson Phillips (Inactive)
made changes -
| Description |
When checking out on the order form using a Wizard template (slider/list/boxes), there is a Log In and Create Account form shown. The Create Account works fine.
However, the Log In form attempts to log the user in and, upon failure, displays an error message. The problem is that attempting to re-submit the log in form results in it being refreshed, but never processed. The CSRF token given is invalid after a failed log in attempt. This is because a failed log in attempt clears the session. The log in form will need to be updated to either refresh the CSRF token on failure or submit without AJAX. |
When checking out on the order form using an AJAX/Wizard template (slider/list/boxes), there is a Log In and Create Account form shown. The Create Account works fine.
However, the Log In form attempts to log the user in and, upon failure, displays an error message. The problem is that attempting to re-submit the log in form results in it being refreshed, but never processed. The CSRF token given is invalid after a failed log in attempt. This is because a failed log in attempt clears the session. The log in form will need to be updated to either refresh the CSRF token on failure or submit without AJAX. |
Tyson Phillips (Inactive)
made changes -
| Description |
When checking out on the order form using an AJAX/Wizard template (slider/list/boxes), there is a Log In and Create Account form shown. The Create Account works fine.
However, the Log In form attempts to log the user in and, upon failure, displays an error message. The problem is that attempting to re-submit the log in form results in it being refreshed, but never processed. The CSRF token given is invalid after a failed log in attempt. This is because a failed log in attempt clears the session. The log in form will need to be updated to either refresh the CSRF token on failure or submit without AJAX. |
When checking out on the order form using an AJAX/Wizard template (slider/list/boxes), there is a Log In and Create Account form shown. The Create Account works fine.
However, the Log In form attempts to log the user in and, upon failure, displays an error message. The problem is that attempting to re-submit the log in form results in it being refreshed, but never processed. The CSRF token given is invalid after a failed log in attempt. This is because a failed log in attempt clears the session. The log in form will need to be updated to either refresh the CSRF token on failure or submit without AJAX. What may suffice is to create a method on the order_form_controller to fetch the CSRF Token via AJAX, then the handler can update the token dynamically in the page forms. |
Tyson Phillips (Inactive)
made changes -
| Remaining Estimate | 0 minutes [ 0 ] | |
| Time Spent | 36 minutes [ 2160 ] | |
| Worklog Id | 11395 [ 11395 ] |
Tyson Phillips (Inactive)
made changes -
| Description |
When checking out on the order form using an AJAX/Wizard template (slider/list/boxes), there is a Log In and Create Account form shown. The Create Account works fine.
However, the Log In form attempts to log the user in and, upon failure, displays an error message. The problem is that attempting to re-submit the log in form results in it being refreshed, but never processed. The CSRF token given is invalid after a failed log in attempt. This is because a failed log in attempt clears the session. The log in form will need to be updated to either refresh the CSRF token on failure or submit without AJAX. What may suffice is to create a method on the order_form_controller to fetch the CSRF Token via AJAX, then the handler can update the token dynamically in the page forms. |
When checking out on the order form using an AJAX/Wizard template (slider/list/boxes), there is a Log In and Create Account form shown. The Create Account works fine.
However, the Log In form attempts to log the user in and, upon failure, displays an error message. The problem is that attempting to re-submit the log in form results in it being refreshed, but never processed. The CSRF token given is invalid after a failed log in attempt. This is because a failed log in attempt clears the session. The log in form will need to be updated to either refresh the CSRF token on failure or submit without AJAX. |
Tyson Phillips (Inactive)
made changes -
| Description |
When checking out on the order form using an AJAX/Wizard template (slider/list/boxes), there is a Log In and Create Account form shown. The Create Account works fine.
However, the Log In form attempts to log the user in and, upon failure, displays an error message. The problem is that attempting to re-submit the log in form results in it being refreshed, but never processed. The CSRF token given is invalid after a failed log in attempt. This is because a failed log in attempt clears the session. The log in form will need to be updated to either refresh the CSRF token on failure or submit without AJAX. |
When checking out on the order form using an AJAX/Wizard template (slider/list/boxes), there is a Log In and Create Account form shown. The Create Account works fine.
However, the Log In form attempts to log the user in and, upon failure, displays an error message. The problem is that attempting to re-submit the log in form results in it being refreshed, but never processed. The CSRF token given is invalid after a failed log in attempt. This is because a failed log in attempt clears the session. The log in form will need to be updated to either refresh the CSRF token on failure or submit without AJAX. We should consider moving the session clearing/reset to after successful login validation. |
Tyson Phillips (Inactive)
made changes -
| Time Spent | 36 minutes [ 2160 ] | 1 hour, 41 minutes [ 6060 ] |
| Worklog Id | 11397 [ 11397 ] |
Tyson Phillips (Inactive)
made changes -
| Summary | Order: Unable to log in after failure on wizard/ajax templates | User log in regenerates session on failure |
Tyson Phillips (Inactive)
made changes -
| Description |
When checking out on the order form using an AJAX/Wizard template (slider/list/boxes), there is a Log In and Create Account form shown. The Create Account works fine.
However, the Log In form attempts to log the user in and, upon failure, displays an error message. The problem is that attempting to re-submit the log in form results in it being refreshed, but never processed. The CSRF token given is invalid after a failed log in attempt. This is because a failed log in attempt clears the session. The log in form will need to be updated to either refresh the CSRF token on failure or submit without AJAX. We should consider moving the session clearing/reset to after successful login validation. |
When attempting to log in to Blesta, the session is regenerated each time. However, it should only regenerate on a successful log in.
This has the adverse effect of changing CSRF tokens (because they're based on the session), and so any AJAX requests to log in that do not reload the page are unable to make POST requests because the CSRF token is outdated. This occurs, for instance, on the AJAX/Wizard templates of the Order plugin. |
Automated transition triggered when Tyson Phillips (Inactive) created pull request #497 in Stash -
| Status | In Progress [ 3 ] | In Review [ 5 ] |
| Resolution | Fixed [ 1 ] |
Tyson Phillips (Inactive)
made changes -
| Time Spent | 1 hour, 41 minutes [ 6060 ] | 1 hour, 56 minutes [ 6960 ] |
| Worklog Id | 11400 [ 11400 ] |
Automated transition triggered when Tyson Phillips (Inactive) merged pull request #497 in Stash -
| Status | In Review [ 5 ] | Closed [ 6 ] |
