[Behaviour] Keep post data on Login
[Critical?] ImageMagick exploit »

CerealGuy

  • Posts: 343
[Behaviour] Keep post data on Login
« on July 21st, 2016, 11:57 PM »
Following problem occurs from time to time:
When I'm, trying to create a new post and during this the session expires, the content gets lost. I think that's true to all $_POST related stuff. $_GET stuff is fine because of the redirection after the login.

Idea: Put all $_POST data in a hidden form when the Login form is getting displayed and try to send that back to the original form/action. I will try to do that.
How is SMF doing this?

Nao

  • Dadman with a boy
  • Posts: 16,079
[Behaviour] Re: Keep post data on Login
« Reply #1, on August 2nd, 2016, 12:26 PM »
I don't think SMF is doing anything about that..?

Your session shouldn't usually expire anyway..? I think the default in Wedge is the upper end of our cookie length choices..?

CerealGuy

  • Posts: 343
[Behaviour] Re: Keep post data on Login
« Reply #2, on August 10th, 2016, 03:30 PM »
This works until your session expires. The bigger the length the smaller the chance of losing your stuff. Still this is something that bugs me, and should be done better (in my opinion).

emanuele

  • Posts: 125
[Behaviour] Re: Keep post data on Login
« Reply #3, on August 11th, 2016, 11:02 PM »
If you plan on putting $_POST/$_GET data in hidden inputs, remember that if done slightly wrong is a potential security risk, very similar to the one fixed two or three years ago for the admin login function.

CerealGuy

  • Posts: 343
[Behaviour] Re: Keep post data on Login
« Reply #4, on August 12th, 2016, 01:50 PM »Last edited on August 12th, 2016, 02:22 PM
Quote from emanuele on August 11th, 2016, 11:02 PM
If you plan on putting $_POST/$_GET data in hidden inputs, remember that if done slightly wrong is a potential security risk, very similar to the one fixed two or three years ago for the admin login function.
That's the thing.  It's a potential CSRF vulnerabiltiy if done wrong (?!). Or at least, it's what I muse about.