Serious issue with security token handling in forums (invalid, empty...)




9 years ago
8 years ago


(Reporter: Andreas Eibach, Unassigned)


Windows 7

Firefox Tracking Flags

(Not tracked)



(1 attachment)



9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a1pre) Gecko/20090923 Minefield/3.7a1pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a1pre) Gecko/20090923 Minefield/3.7a1pre

This is quite a serious issue which appears to have been introduced with one of the newer nightlies. (somewhere after 04 Sep)

Reproducible: Sometimes

Steps to Reproduce:
- Go on posting in your favorite forums, and wait for something weird to happen :) 
[NOTE: You *MUST* post. This never occurs if you only *read* a forum.]

- If you get the following message:
"Your submission could not be processed because a security token was missing 
or mismatched.

If this occurred unexpectedly, please inform the administrator and describe 
the action you performed before you received this error."

press the Back button (occasionally you have to rewrite your post from scratch) and submit your post again.
It MAY work this time, but sometimes it even fails 2 times in a sequence.

Alternative messages depending on forum software are:

"Can't determine method".
This means, the forum software did not "know" whether it should use GET or POST. Maybe that's the culprit why I'm having these issues.
Actual Results:  
(see above)

Expected Results:  
Should never happen. Hasn't occurred *any* time with any build before 04 Sep '09 all those years.

The issue can be VERY annoying. Depending on which forum software is being used, it MAY happen you have to write your post from scratch again (because all text is deleted), OR the text is memorized with the "Back" button and you can try again.


9 years ago
Priority: -- → P3
Version: unspecified → Trunk
Have you also tested this with a new profile without add-ons and with default settings?

Comment 2

9 years ago
Um .. no I haven't, but you can be sure even if I disabled all other add-ons, I would not turn off AdBlock. Ever.
Well, if you won't turn off your addons, how do you know it isn't a problem with them that needs to be reported to the developer of said addon instead of us?
Please create a test profile to see if the issue still happens.
Priority: P3 → --

Comment 4

8 years ago
This is a widespread issue reported by multiple people on the Firefox forums.

The issue was not present in 3.5.7.

This does not just happen with security tokens on forums, it happens with any kind of $_POST data. For example, on an image uploader it may forget the name of the file and say "extension not allowed" because firefox didn't send the post data of the image filename.

Often going back and re-submitting works, but this is just unacceptable. This issue is so prevalent that it's inspiring people to switch browsers or downgrade.

Comment 5

8 years ago
Ryan, thank you for your follow-up.

Seems I'm NOT dreaming, nor do I have the weirdest PC in this world.

Comment 6

8 years ago
Several reports of this problem here[1].

This is a major annoyance on FF3.6/XP-SP2, however I don't see this on FF3.6/Win7-64bit when posting to the same forums.


Comment 7

8 years ago
Created attachment 430004 [details]
Error when posting to from FF3.6 on XP-SP2

As an addition, this problem is more generic than the title of this bug would suggest. The problem is not affecting only vBulletin/forum users, it is affecting any web site that depends on POSTed data - eg. this Bugzilla or Oracle Business Intelligence Analytics (OBIA).

I use OBIA at work, on an intranet, and it has always worked fine with FF3.5.x on XP-SP2 but since upgrading to FF3.6 OBIA has become unusable as it randomly "loses" <form> data that is being POSTed when moving about the web application.

In fact, I'm posting this comment a second time to as the first time I tried to post this update I received the attached error message, and when hitting BACK I lost my original comment text. Grrrr.

Comment 8

8 years ago
>In fact, I'm posting this comment a second time to as the
>first time I tried to post this update I received the attached error message,
>and when hitting BACK I lost my original comment text. Grrrr.


that's typical behavior! Hate to say it, but it has indeed become a habit now to always put my texts into clipboard so I don't lose them. It works well; yet this does not fix the actual problem.

That aside, I agree the issue is a bit more in-depth than my description suggests; however, seems it was a good choice, as someone posting on the Mozilla support forum *did* find it. If we make it too generic, it might get overlooked (except by nerds OR developers ;)) (logical OR, lol)

Comment 9

8 years ago
This is really becoming quite annoying now.

I've made two online purchases this afternoon and each time I've submitted credit card details only for the page to reload with blank details, forcing me to re-enter the details.

I also had to submit a web-mail to an online retailer using their "contact us" email system in respect of an outstanding purchase as I wanted to replace a line item with something else. After pressing submit in FF3.6 the page just reloaded giving no indication of success, failure or whatever.

Rather than hope the email had been received I switched to IE8 and re-sent the same email this time getting a success message and a reference from the retailer. If I'd trusted FF3.6 the email wouldn't have been received and I would have been stuck with items I no longer wanted.

After my experiences today I have to admit defeat, FF3.6 is an untrustworthy crock of sh1t that simply can't be used for important web functions. I'm going to have to switch to IE8 as it can at least POST data reliably and doesn't mess me about. Until this bug is resolved I won't be recommending FF to anyone.

Mozilla, please give this serious defect some attention.

Comment 10

8 years ago
Online retailer "Contact Us" web-mail/email referred to in comment 9:

Comment 11

8 years ago
I am currently under the impression that this is caused by a plug-in conflict.

using FF3.6 at work and at home. At home this happens quite frequently. At work, never.

With firebug I have noticed that any GET or POST data comes with a variable _ (one underscore) and a rather long not-so-random number (the first digits never change but the last ones usually do). Maybe it's a timestamp, I don't know. What I do know, though, is that the data is attached to it from something else and not the forms themselves. I also suspect that there's a high probability it has something to do with this problem.

I cannot figure out where it is coming from and even with all plugins disabled it still appears.

I will make a new profile tonight on my home machine and install the plug-ins one by one until it re-appears. If the problem pops up again, hopefully we can narrow it down to the troublemaker.

Comment 12

8 years ago
Same here, but reversed - never happens at home (FF3.6 on Win7/64-bit), always at work (FF3.6 on XP/SP2).

Active plugins at work are Live HTTP Headers 0.16, Java Console 5.0.14 and Flashblock I'll try disabling Live HTTP Headers and see if that improves the situation.

Comment 13

8 years ago
With Live HTTP Headers 0.16 disabled, so far so good...

3 test posts on a vBulletin forum have all worked as expected whereas I would normally expect them to fail each time and succeed on the second attempt. If this comment posts first time that would also be a positive move (if I don't mention having to post this comment twice then you know it worked first time!)
So you are saying that is addon is causing it? Please talk to the developers of that addon then.

Comment 15

8 years ago
(In reply to comment #14)
> So you are saying that is addon is causing it? Please talk to the developers of
> that addon then.

I'm not saying that yet, but after about 2 minutes of rapid testing it does appear that disabling this particular add on does improve the situation. 

I'll need to do more testing tomorrow when I'm back at work, however I'm suspicious of the results so far because:

a) I have Live HTTP Headers 0.16 installed at home - FF3.6 on Win7/64-bit rather than XP - and I don't have this POST problem

b) I think it unlikely everyone with this problem is using Live HTTP Headers 0.16 (although it is possible)

What we need is for anyone who has this problem to confirm whether they are using Live HTTP Headers 0.16, and if they are, does disabling it fix the problem. Maybe then we can start coming to some conclusions.

I'll post an update tomorrow when I've had more time to test.

Comment 16

8 years ago
I am not using "Live HTTP Headers", but i do have "Flashblock" installed, albeit it has been disabled for some time.

Comment 17

8 years ago
@ #14 
Nooooo. Tyler, please do not shoot too quick. Neither am I using "Live HTTP Headers", but AdBlock Plus.
Could this be the culprit?
If so, I will live with the issue. Internet use in the year 2010 without AdBlock Plus is just pure horror, so I can't go without that.
Andreas, I didn't close this bug, I was simply telling Neil that in his case he needs to talk to the addon developer if that is what is causing the issue.
If you want to find it if an addon is causing it, create a new profile, and test.

Comment 19

8 years ago
I was just about to post a comment stating that all was looking good with Live HTTP Headers 0.16 disabled (no problems posting to forums etc.) but when posting my comment here I got the same error that I attached in comment 7... so maybe not fixed after all.

As other users have this problem without using Live HTTP Headers, it's obviously not a problem specific to this particular add-on. Could it be that the profile has been corrupted by the FF3.5.x to FF3.6 upgrade, or is there an add-on API problem/incompatibility in FF3.6 (in particular, regarding POST functionality)?

Comment 20

8 years ago
I think it's adblock.

Comment 21

8 years ago
(In reply to comment #20)
> I think it's adblock.

Trouble is, I don't have adblock installed, so maybe it's a more general "add-on" problem? Or profile corruption.

Comment 22

8 years ago
could be. anyone tried the new profile thing yet?

Comment 23

8 years ago
I no longer get this error with tracemonkey disabled.
To disable it go to about:config, filter javascript.options.jit.content, and set to false. Perhaps this is due to tracemonkey not memorizing all variables in javascript? That would explain the unpredictable nature of the error.(In reply to comment #1)
> Have you also tested this with a new profile without add-ons and with default
> settings?

Comment 24

8 years ago
After having this problem for the last week both at home and at work and wondering what's been going on, I did a search and came up with which further lead me to here. Both systems are using FF 3.6. Home has addons, but none of the ones mentioned above. Work system has no addons in FF. This affects forums (security token missing) and logins sometimes resulting in having to hit back and enter login information multiple times before it works.

Comment 25

8 years ago
Firefox update 3.6.2 may have fixed this issue. Once the update was applied, I no longer had the problem at work. Update has just been applied to my home computer and so far, so good.

Comment 26

8 years ago
I disable JIT in 3.6 just before the 3.6.2 upgrade hit, and the problem went away. Disabling the add-ons never completely resolved the issue, so I don't think they were the cause but getting rid of JIT in 3.6 (and now 3.6.2) seems to have fixed it.

I'm re-enabling JIT in 3.6.2 to see if 3.6.2 brings any fixes for this problem, but I doubt it.

Comment 27

8 years ago
3.6.2 with JIT enabled *does* seem to resolve this issue! :)

Comment 28

8 years ago
Hasn't been happening now for more than half a year through 3.6.3...3.7...4.0.

This issue is definitely resolved. I've adapted the status accordingly to have the lid closed on this.
Last Resolved: 8 years ago
Resolution: --- → FIXED


8 years ago
You need to log in before you can comment on or make changes to this bug.