#1281 latest typed content in comment box get disappears after clicking Update Issue
Closed: Fixed 6 years ago Opened 6 years ago by amsharma.

This happened a few times now that I type a comment on an issue and after clicking Update issue, my typed content just get lost. This is super irritating to retype my own written words, specially when the content length is considerably big. I think @jflory7 also faced the same issue, we discussed about it.

It is a potential bug to fix :)


This usually happens to me if I'm typing for some time or I have the window open for a while – it's like the Pagure page "times out". I will click the "Update issue" button, my text will disappear, and the page will not change. If I refresh, sometimes my content is there, other times, my comment is lost.

From a technical side, I don't know what a fix would look like, but some sort of "keep alive" sort of thing feels like a possible answer. I would definitely like to see a solution for this issue as well. :smile:

So there are two issues at hand here:

  • The SSE server, every once in a while, we run into #462 and the SSE server needs to be restarted

  • CSRF protection, the CSRF token used in all pages and form to protect from cross-site forgery has a limited life-time. If you exceed it, the update process will fail.

I have been wondering about either removing CSRF here or just extending it (which may never be enough).
Removing seems, both extreme and maybe not so secure, extending, seems a little pointless as well, so I'm not quite sure what the best solution is for this :)

How about making the CSRF token part of the session, so that it has the same validity time?
The CSRF token doesn't need to change during a session, but we do need it.

So the CSRF expiration issue has been fixed in:
https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=029f5225acae4665a96713b666daa53d0102a511

It's based on a finding from @puiterwijk which is also documented at: https://flask-wtf.readthedocs.io/en/latest/config.html

This way, we keep the CSRF token/protection while coupling it with the duration of the user's session.

I'm going to close this ticket, as the remaining issue is already reported at #462.

Thanks for the report and the discussion :)

@pingou changed the status to Fixed

6 years ago

Login to comment on this ticket.

Metadata