Closed Bug 518732 Opened 15 years ago Closed 14 years ago

Serious issue with security token handling in forums (invalid, empty...)

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: a.eibach, Unassigned)

Details

Attachments

(1 file)

Error when posting to bugzilla.mozilla.org from FF3.6 on XP-SP2
69.51 KB, image/jpeg
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a1pre) Gecko/20090923 Minefield/3.7a1pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a1pre) Gecko/20090923 Minefield/3.7a1pre

This is quite a serious issue which appears to have been introduced with one of the newer nightlies. (somewhere after 04 Sep)


Reproducible: Sometimes

Steps to Reproduce:
- Go on posting in your favorite forums, and wait for something weird to happen :) 
[NOTE: You *MUST* post. This never occurs if you only *read* a forum.]

- If you get the following message:
"Your submission could not be processed because a security token was missing 
or mismatched.

If this occurred unexpectedly, please inform the administrator and describe 
the action you performed before you received this error."

press the Back button (occasionally you have to rewrite your post from scratch) and submit your post again.
It MAY work this time, but sometimes it even fails 2 times in a sequence.

Alternative messages depending on forum software are:

"Can't determine method".
This means, the forum software did not "know" whether it should use GET or POST. Maybe that's the culprit why I'm having these issues.
Actual Results:  
(see above)

Expected Results:  
Should never happen. Hasn't occurred *any* time with any build before 04 Sep '09 all those years.

The issue can be VERY annoying. Depending on which forum software is being used, it MAY happen you have to write your post from scratch again (because all text is deleted), OR the text is memorized with the "Back" button and you can try again.
Priority: -- → P3
Version: unspecified → Trunk
Have you also tested this with a new profile without add-ons and with default settings?
http://support.mozilla.com/en-US/kb/Basic+Troubleshooting#Make_a_new_profile
Um .. no I haven't, but you can be sure even if I disabled all other add-ons, I would not turn off AdBlock. Ever.
Well, if you won't turn off your addons, how do you know it isn't a problem with them that needs to be reported to the developer of said addon instead of us?
Please create a test profile to see if the issue still happens.
Priority: P3 → --
This is a widespread issue reported by multiple people on the Firefox forums.

The issue was not present in 3.5.7.

This does not just happen with security tokens on forums, it happens with any kind of $_POST data. For example, on an image uploader it may forget the name of the file and say "extension not allowed" because firefox didn't send the post data of the image filename.

Often going back and re-submitting works, but this is just unacceptable. This issue is so prevalent that it's inspiring people to switch browsers or downgrade.
Ryan, thank you for your follow-up.

Seems I'm NOT dreaming, nor do I have the weirdest PC in this world.
Several reports of this problem here[1].

This is a major annoyance on FF3.6/XP-SP2, however I don't see this on FF3.6/Win7-64bit when posting to the same forums.

1. http://support.mozilla.com/nl/forum/1/565399
As an addition, this problem is more generic than the title of this bug would suggest. The problem is not affecting only vBulletin/forum users, it is affecting any web site that depends on POSTed data - eg. this Bugzilla or Oracle Business Intelligence Analytics (OBIA).

I use OBIA at work, on an intranet, and it has always worked fine with FF3.5.x on XP-SP2 but since upgrading to FF3.6 OBIA has become unusable as it randomly "loses" <form> data that is being POSTed when moving about the web application.

In fact, I'm posting this comment a second time to bugzilla.mozilla.org as the first time I tried to post this update I received the attached error message, and when hitting BACK I lost my original comment text. Grrrr.
>In fact, I'm posting this comment a second time to bugzilla.mozilla.org as the
>first time I tried to post this update I received the attached error message,
>and when hitting BACK I lost my original comment text. Grrrr.

Neil,

that's typical behavior! Hate to say it, but it has indeed become a habit now to always put my texts into clipboard so I don't lose them. It works well; yet this does not fix the actual problem.

That aside, I agree the issue is a bit more in-depth than my description suggests; however, seems it was a good choice, as someone posting on the Mozilla support forum *did* find it. If we make it too generic, it might get overlooked (except by nerds OR developers ;)) (logical OR, lol)
This is really becoming quite annoying now.

I've made two online purchases this afternoon and each time I've submitted credit card details only for the page to reload with blank details, forcing me to re-enter the details.

I also had to submit a web-mail to an online retailer using their "contact us" email system in respect of an outstanding purchase as I wanted to replace a line item with something else. After pressing submit in FF3.6 the page just reloaded giving no indication of success, failure or whatever.

Rather than hope the email had been received I switched to IE8 and re-sent the same email this time getting a success message and a reference from the retailer. If I'd trusted FF3.6 the email wouldn't have been received and I would have been stuck with items I no longer wanted.

After my experiences today I have to admit defeat, FF3.6 is an untrustworthy crock of sh1t that simply can't be used for important web functions. I'm going to have to switch to IE8 as it can at least POST data reliably and doesn't mess me about. Until this bug is resolved I won't be recommending FF to anyone.

Mozilla, please give this serious defect some attention.
Online retailer "Contact Us" web-mail/email referred to in comment 9:

http://web6.scan.co.uk/aspnet/Support/Query.aspx?QueryType=C
I am currently under the impression that this is caused by a plug-in conflict.

using FF3.6 at work and at home. At home this happens quite frequently. At work, never.

With firebug I have noticed that any GET or POST data comes with a variable _ (one underscore) and a rather long not-so-random number (the first digits never change but the last ones usually do). Maybe it's a timestamp, I don't know. What I do know, though, is that the data is attached to it from something else and not the forms themselves. I also suspect that there's a high probability it has something to do with this problem.

I cannot figure out where it is coming from and even with all plugins disabled it still appears.

I will make a new profile tonight on my home machine and install the plug-ins one by one until it re-appears. If the problem pops up again, hopefully we can narrow it down to the troublemaker.
Same here, but reversed - never happens at home (FF3.6 on Win7/64-bit), always at work (FF3.6 on XP/SP2).

Active plugins at work are Live HTTP Headers 0.16, Java Console 5.0.14 and Flashblock 1.5.11.2. I'll try disabling Live HTTP Headers and see if that improves the situation.
With Live HTTP Headers 0.16 disabled, so far so good...

3 test posts on a vBulletin forum have all worked as expected whereas I would normally expect them to fail each time and succeed on the second attempt. If this comment posts first time that would also be a positive move (if I don't mention having to post this comment twice then you know it worked first time!)
So you are saying that is addon is causing it? Please talk to the developers of that addon then.
(In reply to comment #14)
> So you are saying that is addon is causing it? Please talk to the developers of
> that addon then.

I'm not saying that yet, but after about 2 minutes of rapid testing it does appear that disabling this particular add on does improve the situation. 

I'll need to do more testing tomorrow when I'm back at work, however I'm suspicious of the results so far because:

a) I have Live HTTP Headers 0.16 installed at home - FF3.6 on Win7/64-bit rather than XP - and I don't have this POST problem

b) I think it unlikely everyone with this problem is using Live HTTP Headers 0.16 (although it is possible)

What we need is for anyone who has this problem to confirm whether they are using Live HTTP Headers 0.16, and if they are, does disabling it fix the problem. Maybe then we can start coming to some conclusions.

I'll post an update tomorrow when I've had more time to test.
I am not using "Live HTTP Headers", but i do have "Flashblock" installed, albeit it has been disabled for some time.
@ #14 
Nooooo. Tyler, please do not shoot too quick. Neither am I using "Live HTTP Headers", but AdBlock Plus.
Could this be the culprit?
If so, I will live with the issue. Internet use in the year 2010 without AdBlock Plus is just pure horror, so I can't go without that.
Andreas, I didn't close this bug, I was simply telling Neil that in his case he needs to talk to the addon developer if that is what is causing the issue.
If you want to find it if an addon is causing it, create a new profile, and test. http://support.mozilla.com/en-US/kb/Managing+profiles
I was just about to post a comment stating that all was looking good with Live HTTP Headers 0.16 disabled (no problems posting to forums etc.) but when posting my comment here I got the same error that I attached in comment 7... so maybe not fixed after all.

As other users have this problem without using Live HTTP Headers, it's obviously not a problem specific to this particular add-on. Could it be that the profile has been corrupted by the FF3.5.x to FF3.6 upgrade, or is there an add-on API problem/incompatibility in FF3.6 (in particular, regarding POST functionality)?
I think it's adblock.
(In reply to comment #20)
> I think it's adblock.

Trouble is, I don't have adblock installed, so maybe it's a more general "add-on" problem? Or profile corruption.
could be. anyone tried the new profile thing yet?
I no longer get this error with tracemonkey disabled.
To disable it go to about:config, filter javascript.options.jit.content, and set to false. Perhaps this is due to tracemonkey not memorizing all variables in javascript? That would explain the unpredictable nature of the error.(In reply to comment #1)
> Have you also tested this with a new profile without add-ons and with default
> settings?
> http://support.mozilla.com/en-US/kb/Basic+Troubleshooting#Make_a_new_profile
After having this problem for the last week both at home and at work and wondering what's been going on, I did a search and came up with https://support.mozilla.com/en-US/forum/1/565399 which further lead me to here. Both systems are using FF 3.6. Home has addons, but none of the ones mentioned above. Work system has no addons in FF. This affects forums (security token missing) and logins sometimes resulting in having to hit back and enter login information multiple times before it works.
Firefox update 3.6.2 may have fixed this issue. Once the update was applied, I no longer had the problem at work. Update has just been applied to my home computer and so far, so good.
I disable JIT in 3.6 just before the 3.6.2 upgrade hit, and the problem went away. Disabling the add-ons never completely resolved the issue, so I don't think they were the cause but getting rid of JIT in 3.6 (and now 3.6.2) seems to have fixed it.

I'm re-enabling JIT in 3.6.2 to see if 3.6.2 brings any fixes for this problem, but I doubt it.
3.6.2 with JIT enabled *does* seem to resolve this issue! :)
Hasn't been happening now for more than half a year through 3.6.3...3.7...4.0.

This issue is definitely resolved. I've adapted the status accordingly to have the lid closed on this.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Resolution: FIXED → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: