diff options
author | Joey Hess <joey@gnu.kitenet.net> | 2009-01-05 16:15:46 -0500 |
---|---|---|
committer | Joey Hess <joey@gnu.kitenet.net> | 2009-01-05 16:15:46 -0500 |
commit | 09a76de33dbcd929eefe57d9e9a628b8a39a0404 (patch) | |
tree | c5d45d524a1072a611ecbd36b8a5cfa158f9f3a1 | |
parent | d4599f72502af1a8dbf94478038111d992929588 (diff) |
analysis
-rw-r--r-- | doc/bugs/Error:_Your_login_session_has_expired._.mdwn | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/doc/bugs/Error:_Your_login_session_has_expired._.mdwn b/doc/bugs/Error:_Your_login_session_has_expired._.mdwn index 1d200a410..6cfd2868c 100644 --- a/doc/bugs/Error:_Your_login_session_has_expired._.mdwn +++ b/doc/bugs/Error:_Your_login_session_has_expired._.mdwn @@ -9,3 +9,31 @@ Whilst trying to edit http://hugh.vm.bytemark.co.uk/ikiwiki.cgi via OpenID. Any ii libnet-openid-consumer-perl 0.14-4 library for consumers of OpenID iden tities iki@hugh:~$ + +> This error occurs if ikiwiki sees something that looks like a CSRF +> attack. It checks for such an attack by embedding your session id on the +> page edit form, and comparing that id with the session id used to post +> the form. +> +> So, somehow your session id has changed between opening the edit form and +> posting it. A few ways this could happen: +> +> * Genuine CSRF attack (unlikely) +> * If you logged out and back in, in another tab, while the edit form was +> open. +> * If `.ikiwiki/sessions.db` was deleted/corrupted while you were in the +> midst of the edit. +> * If some bug in CGI::Session caused your session not to be saved to the +> database somehow. +> * If your browser didn't preserve the session cookie across the edit +> process, for whatever local reason. +> * If you were using a modified version of `editpage.tmpl`, and +> it did not include `FIELD-SID`. +> * If you upgraded from an old version of ikiwiki, before `FIELD-SID` was +> added (<= 2.41), and had an edit form open from that old version, and +> tried to save it using the new. +> +> I don't see the problem editing the sandbox there myself, FWIW. +> (BTW, shouldn't you enable the meta plugin so RecentChanges displays +> better?) +> --[[joey]] |