Ticket #2622 (new enhancement)
Opened 2 months ago
SecurityID Form Submission with PHP Session Timeout
| Reported by: | ischommer | Assigned to: | ischommer |
|---|---|---|---|
| Type: | enhancement | Priority: | medium |
| Milestone: | Component: | Sapphire Framework | |
| Version: | 2.2.2 | Severity: | medium effort / impact |
| Keywords: | Cc: | sharvey,sminnee,aoneil | |
| Due date: | Harvest Task: | (Unknown) | |
| Invoice sent to client: | 0 | Hours: |
Description
Example: Open a form (which generates a SecurityID, stores it in PHP session and attaches it as a hiddenfield). Leave it for a couple of hours.
Currently when a PHP Session (or the Session Cookie) expires, a submission of this form would be caught by the CSRF-detection in Controller.php (which is generally fine, but nto very good usability).
Adjust Controller.php/Form.php to check for an existing PHP session on each form submission. If none is found:
- create a PHP Session and new SecurityID
- populate the form with the submitted values (but don't trigger any form actions)
- redirect back
- view error message "Your session has expired - please resubmit the form"
This way we can retain secure form submission even when the session has expired.
Attachments
Note: See
TracTickets for help on using
tickets.
