You are here: Foswiki>Tasks Web>Item10147 (16 Apr 2011, KennethLavrsen)Edit Attach

Item10147: Foswiki::writeCompletePage deletes session ID cookie if page contains a form

pencil
Priority: Urgent
Current State: Closed
Released In: 1.1.3
Target Release: patch
Applies To: Engine
Component:
Branches:
Reported By: DiabJerius
Waiting For:
Last Change By: KennethLavrsen
After upgrading from 1.0.9, my scripts which communicate with Foswiki using HTTP are failing after authentication with a 419 error. One script uploads to the server by first GETing the attach page for a topic, filling in the upload form, adding the validation key, and POSTing the result. However, the validation is failing because the FOSWIKISID cookie is not being passed along with the attach page. For example: 

% curl -I -uDiabJerius http://my.server/Foswiki-1.1.2/bin/attach/Sandbox/TestTopic0 |& grep Cookie
Set-Cookie: FOSWIKISTRIKEONE=0fd30efb00ac66d7a968beac1d33bd03; path=/

The cookie is present in 1.0.9: 
% curl -I -uDiabJerius http://my.server/Foswiki-1.0.9/bin/attach/Sandbox/TestTopic0 | & grep Cookie
Set-Cookie: FOSWIKISTRIKEONE=d7aa22127cb3a2a7d474eef1969e0cdf; path=/
Set-Cookie: FOSWIKISID=94a611b0a5d5c01cc8eb5b833057ae14; path=/

The fault appears to lie in Foswiki::writeCompletePage, which, if a page contains a form, adds the strikeone cookie: 

    729             # At least one form has been touched; add the validation
    730             # cookie
    731             $this->{response}
    732               ->cookies( [ Foswiki::Validation::getCookie($cgis) ] );

Unfortunately, this code wipes out all existing cookies, including the FOSWIKISID cookie. Amending the code as follows: 

    731             $this->{response}
    732               ->cookies( [ $this->{response}->cookies,
    733                            Foswiki::Validation::getCookie($cgis) ] );

adds to the cookies rather than replacing them, FOSWIKISID is passed along, 

% curl -I -uDiabJerius http://my.server/Foswiki-1.1.2p/bin/attach/Sandbox/TestTopic0 | & grep Cookie
Set-Cookie: FOSWIKISID=3499118ca786da12fd4f95e80df4eab8; path=/; HttpOnly
Set-Cookie: FOSWIKISTRIKEONE=7cc396eb5feaa648480762a95c450086; path=/
and my script once more works.

-- DiabJerius - 11 Dec 2010

Excellent. I am hoping this might explain Item8917. I still have a test environment failing in the way I described in Item8917, so I'll try it.

-- PaulHarvey - 11 Dec 2010

Fix looked pretty nobrain so I checked it in. Thanks to Diab for the fix.

Paul I assume you follow up on the 8817 if it also fixed that. I do not see the 8817 error so I cannot confirm.

-- KennethLavrsen - 11 Dec 2010
 

ItemTemplate edit

Summary Foswiki::writeCompletePage deletes session ID cookie if page contains a form
ReportedBy DiabJerius
Codebase 1.1.2
SVN Range
AppliesTo Engine
Component
Priority Urgent
CurrentState Closed
WaitingFor
Checkins distro:5690bf2708cf distro:e15aab038ef6
TargetRelease patch
ReleasedIn 1.1.3
Edit  | Attach | Print version | History: r6 < r5 < r4 < r3 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r6 - 16 Apr 2011, KennethLavrsen
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy