1
irmtfan
possible bug: invalid tokens will be checked in an infinite loop
  • 2012/9/10 6:59

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


You know sometimes users cannot send posts in forums, news comments, .. and will receive same error again and again.
This is really annoying for new users.

eg: in newbb they will receive this error constantly:
Quote:

Invalid submission. You could have exceeded session time. Please re-submit or make a backup of your post and login to resubmit if necessary.

I noticed this issue will occur mainly when user use remember me and the reason is in XoopsSecurity class invalid tokens will be checked in an infinite loop until the user logout or somehow the tokens changed.

in xoops255/class/xoopssecurity.php
function validateToken($token false$clearIfValid true$name 'XOOPS_TOKEN')
    {
        global 
$xoopsLogger;
        
$token = ($token !== false) ? $token : (isset($_REQUEST[$name '_REQUEST']) ? $_REQUEST[$name '_REQUEST'] : '');
        if (empty(
$token) || empty($_SESSION[$name '_SESSION'])) {
            
$xoopsLogger->addExtra('Token Validation''No valid token found in request/session');
            return 
false;
        }
        
$validFound false;
        
$token_data = & $_SESSION[$name '_SESSION'];
        foreach (
array_keys($token_data) as $i) {
            if (
$token === md5($token_data[$i]['id'] . $_SERVER['HTTP_USER_AGENT'] . XOOPS_DB_PREFIX)) {
                if (
$this->filterToken($token_data[$i])) {
                    if (
$clearIfValid) {
                        
// token should be valid once, so clear it once validated
                        
unset($token_data[$i]);
                    }
                    
$xoopsLogger->addExtra('Token Validation''Valid token found');
                    
$validFound true;
                } else {
                    
$str 'Valid token expired';
                    
$this->setErrors($str);
                    
$xoopsLogger->addExtra('Token Validation'$str);
                }
            }
        }
        if (!
$validFound) {
            
$xoopsLogger->addExtra('Token Validation''No valid token found');
        }
        
$this->garbageCollection($name);
        return 
$validFound;
    }

i test this function in my huge website and i suggest to clear all tokens in the first time they are considered as invalid.

so i suggest to add this:
if (!$validFound) {
// START add by irmtfan
               
$this->clearTokens($name);
// END add by irmtfan
            
$xoopsLogger->addExtra('Token Validation''No valid token found');
        }


Im not a coder or developer but i see the above will solve the issue.
I need your advices, then we can send it to the bug tracker.

Also this is a functional bug and not a security bug. (but really annoying for users)

IMO because of some other bugs like theme changing issue core team should investigate following parts in xoops core:
- sessions
- tokens
- remember me functionality

2
irmtfan
Re: possible bug: invalid tokens will be checked in an infinite loop
  • 2012/9/17 4:07

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


anybody have any idea?
This solution is worked great in my big site and forum.
just maybe we can put aside the expired tokens like this:
if (!$validFound) {
// START add by irmtfan
if (empty($str)) {
               
$this->clearTokens($name);
}
// END add by irmtfan
            
$xoopsLogger->addExtra('Token Validation''No valid token found');
        }


3
irmtfan
Re: possible bug: invalid tokens will be checked in an infinite loop
  • 2012/9/19 4:22

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


i will send it to the tracker.
I wonder why many people complain about this issue in xoops forums in the past but now nobody have any comment when a possible solution is found?

4
Mamba
Re: possible bug: invalid tokens will be checked in an infinite loop
  • 2012/9/19 5:38

  • Mamba

  • Moderator

  • Posts: 11409

  • Since: 2004/4/23


I don't think that I've seen this error for a long time.

But please submit it to Bug Tracker, so at least we can track it.

Thanks!
Support XOOPS => DONATE
Use 2.5.11 | Docs | Modules | Bugs

5
irmtfan
Re: possible bug: invalid tokens will be checked in an infinite loop
  • 2012/9/19 5:53

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


ok i sent it to the tracker:
https://sourceforge.net/tracker/?func=detail&aid=3569279&group_id=41586&atid=430840

people with high speed internet connections dont have this issue.
I recognize mainly those with poor internet connections have this issue.
eg: i have it in xoops.org sometimes when i am logged in via GPRS

Login

Who's Online

443 user(s) are online (330 user(s) are browsing Support Forums)


Members: 0


Guests: 443


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits