New issue 361 by pkas...@chromium.org: Dataloss with "Invalid XSRF token"
error
http://code.google.com/p/rietveld/issues/detail?id=361
If you leave a review page open too long (24+ hours?) and then try to write
a reply, after submission you get "Invalid XSRF token." Then if you hit
back, your reply is gone, because it was composed in some AJAXy box that no
longer appears.
There are several possible mitigations.
First, the full submitted reply (or other mail) could be pasted on
the "invalid xsrf token" page so you could copy it and paste it back in
when going back.
Second, the page could be structured such that when you go back, the
browser can successfully persist the relevant form data.
Third, the page could do JS requests every few hours to keep the token
alive.
You must be using Firefox, right?
No, I'm on the Chrome team and this has bitten us for a long time.
I believe I've fixed this for Chrome some time ago
http://code.google.com/p/rietveld/issues/detail?id=198
I encountered this problem yesterday using the Chrome Dev channel, so it's
definitely not fixed.
Can you confirm that it is the same issue as #198?
Can you write a test to repeat the issue?
I do the following (Google Chrome 17.0.963.26 beta):
1. Open http://codereview.appspot.com/5475061/
2. Hit 'Reply', enter comment 'XXX'
3. Click any link on the page to navigate away
4. Hit 'Back'
5. Hit 'Reply' again
6. Look at 'XXX'
Everything works.
Maybe there is a regression in a dev channel?
Maybe you were logged out?
Maybe there is a different problem, but we need a way to repeat this
somehow.
Your test steps work, so this is not a Dev channel-only regression.
I appeared to be logged in both before and after reproducing the problem,
so I don't think that's it.
I explicitly tried to "reply" yesterday when this happened to me and my
previous reply was not preserved. So I don't think what's happening here
is precisely the same as what happens if I navigate away via a link click.
Of course now you're making me second-guess myself.
It seems like this is pretty easy to check -- pull up some issue in a
Chrome window, leave it until some time tomorrow after the token will have
expired, click the "reply" link and write a comment, then "submit" to get
the error. Then hit back and reply again.
I suggest both of us do this. I'll go ahead and load up a tab now.
I think there is a way to expire token faster from developer instance. I've
tried:
from codereview.models import Account
acc = Account.all().filter('email =', 'te...@example.com').get()
print repr(acc.xsrf_secret)
acc.xsrf_secret = None
acc.put()
But it didn't work.
Re: comment 6: I finally got around to retesting this. I pulled up the
link from comment 5, left it open in a tab well over a day, hit the "reply"
button and deleted all the content, then hit "send message". On getting
the "invalid token" page I hit back, and hit "reply" again. The
boilerplate text was all back rather than still being deleted.