Bug #24755

Re: issue #24715 - problem still exists in 4.5.0rc1

Added by Jochen Weiland over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2011-01-23
Due date:
% Done:

0%

TYPO3 Version:
4.5
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

followup to 17203
When be session expires and i re-enter the password evetually some Errors show up in the BE ===================

According to SK the fix from issue #24715 has been commited to RC1, but I can still reproduce it there at re-login (in this case in the form displayed by Web>Template>Info/Modify>Edit whole template record>Includes.

Error msg:

ExtDirect: Invalid Security Token!

Backtrace:

#0 [internal function]: t3lib_extjs_ExtDirectRouter->route(Array, Object(TYPO3AJAX))
#1 /.../typo3_src-4.5.0rc1/t3lib/class.t3lib_div.php(5134): call_user_func_array(Array, Array)
#2 /.../typo3_src-4.5.0rc1/typo3/ajax.php(73): t3lib_div::callUserFunction('t3lib/extjs/cla...', Array, Object(TYPO3AJAX), false, true)
#3 {main}

(issue imported from #M17247)

17247.diff View (971 Bytes) Administrator Admin, 2011-01-23 18:21

17247_v2.diff View (395 Bytes) Administrator Admin, 2011-01-25 20:31


Related issues

Related to TYPO3 Core - Bug #24715: The ExtDirect token needs to be regenerated after relogin by popup window Closed 2011-01-22
Related to TYPO3 Core - Bug #24671: Protect C(R)UD actions against CSRF Closed 2011-01-20
Related to TYPO3 Core - Bug #24808: Unnecessary message about security token Closed 2011-01-25
Related to TYPO3 Core - Bug #24873: Open forms cannot be saved after "Relogin" (Security Token errors) Closed 2011-01-28
Related to TYPO3 Core - Bug #24870: Regression: The ExtDirect token needs to be regenerated after relogin by popup window Closed 2011-01-28

History

#1 Updated by Helmut Hummel over 9 years ago

As a temporary solution, could you please try the attached patch?

#2 Updated by Kay Strobach over 9 years ago

have the same problem with extdirect stores which worked until some days before ...

These code snipepts are part of ext:ks_sitemgr

I do use ExtDirect with stores and get:

0 [internal function]: t3lib_extjs_ExtDirectRouter->route(Array,
Object(TYPO3AJAX))
#1 <..>\t3-4_5\t3lib\class.t3lib_div.php(5134):
call_user_func_array(Array, Array)
#2 <..>\t3-4_5\typo3\ajax.php(73):
t3lib_div::callUserFunction('t3lib/extjs/cla...', Array,
Object(TYPO3AJAX), false, true)
#3 {main}

I used the following code to register my extdirect functions:
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['ExtDirect']['TYPO3.ks_sitemgr.tabs'] =
'EXT:ks_sitemgr/lib/class.tx_ks_sitemgr_direct.php:tx_ks_sitemgr_direct';

So where is the problem?

The extension uses the above called class to call subfunctions (routing)
as it allows to register some childrens.

#3 Updated by Helmut Hummel over 9 years ago

Did you try if the attached patch solves the issue?

#4 Updated by Kay Strobach over 9 years ago

patched,
cleared cache,
logged out,
same problem. :(((

ExtDirect: Invalid Security Token!
Backtrace:

#0 [internal function]: t3lib_extjs_ExtDirectRouter->route(Array, Object(TYPO3AJAX))
#1 E:\devenv\mowesII\www\t3-4_5\t3lib\class.t3lib_div.php(5134): call_user_func_array(Array, Array)
#2 E:\devenv\mowesII\www\t3-4_5\typo3\ajax.php(73): t3lib_div::callUserFunction('t3lib/extjs/cla...', Array, Object(TYPO3AJAX), false, true)
#3 {main}

#5 Updated by Kay Strobach over 9 years ago

there is no need to reloging (i assume expiring session) to reproduce the problem i described above - it's always there

#6 Updated by Kay Strobach over 9 years ago

for me this is a blocker - is there a solution on the horizon?

#7 Updated by Helmut Hummel over 9 years ago

The Ext stuff can be fixed (the Ext-Exceptions will not show up any more), but if there is any open form which has form tokens in it, they will be invalid. I have no solution for that.

#8 Updated by Kay Strobach over 9 years ago

my extension loads 4 stores after onReady is thrown - all the stores are empty, as there are these f*** exceptions ...

It's ok to show up the exceptions to see that there is an error - but there must be a solution to fix that and get my extension working again.
it worked 2 years now ;) and short before 4.5 release it's broken - that's what frustrates me - why not in the beta's.
So for me the integration came to late :(( - even if i would like to have such a securityfeature.

will there be a way to disable this protection mechanism?

additionally i was not able to delete a template record via listmodule contextmenu (workaround edit > click on trashbin in tceform)

#9 Updated by Helmut Hummel over 9 years ago

Attached patch solves the issue by reloading the backend after login.

Sorry, no other solution atm.

#10 Updated by Kay Strobach over 9 years ago

no sry, i updated to trunk and repatched with you v2 - same problem

clicking on Web > List first time shows the following error 3 times:
Die Validierung des Sicherheitstokens dieses Formulars ist fehlgeschlagen. Bitte laden Sie das Formular erneut und schicken Sie es dann noch einmal ab.

clicking in trunk 10309 on Web > List first time shows the following error 5 times:
Die Validierung des Sicherheitstokens dieses Formulars ist fehlgeschlagen. Bitte laden Sie das Formular erneut und schicken Sie es dann noch einmal ab.

#11 Updated by Helmut Hummel over 9 years ago

Kay, sorry for any inconvenience and yes I agree it would have been better to integrate this earlier. Nevertheless, please stay pollite, thanks.

Now to the issue. This only happens is the user session is lost anyway.

So reloading the backend is the only solution I have.

#12 Updated by Kay Strobach over 9 years ago

Hi Helmut,

i meant you don't need to be sorry with the words : "no, sry"

It's fully ok to have bugs/problems in the pre release phase. I would also change everything what needs to be done to upgrade my extensions.

i would also like to help with more information if you tell me what i can tell you to find a solution (i try to answer fast, because of the sheduled release date ;)

I also examined the new extensionmanager to find a solution as it seems to work quite well with the new xsrf protection - i can't find any difference in typo3/sysext/em/res/js/em_languages.js to my store.

Thanks

#13 Updated by Helmut Hummel over 9 years ago

Kay, after debugging your code I found the problem.

Just remove the following line in your extjs.js:
Ext.Direct.addProvider(Ext.app.ExtDirectAPI['TYPO3.ks_sitemgr']);

This might have worked previously, but was not the right way to do it.

If you remove it, the the token gets automatically injected in the call of your application and makes it more secure en passant. Nice isn't it?

Now you owe me a beer ;)

#14 Updated by Kay Strobach over 9 years ago

you are a god ;)

I used a tutorial to generate the TYPO3 specific stuff :(

But you're right the current wiki article (i don't know if that was the tutorial) doesn't mention the above function.
http://wiki.typo3.org/ExtDirect

I added a hint about how to solve that problem http://wiki.typo3.org/ExtDirect#ExtDirect:_Invalid_Security_Token.21 .

How can i owe you a beer? Sadly never found the time to visit a T3con/BarCamp - so that can be hard if there isn't a different way ;)

THANKS a lot
Kay

#15 Updated by Steffen Gebert over 9 years ago

Jochen, can you confirm that this issue is fixed?

#16 Updated by Peter Niederlag over 9 years ago

I can confirm this issue on https://svn.typo3.org/TYPO3v4/Core/trunk@10332 2010-01-26 13:00 (which is more recent than RC3!)

#17 Updated by Peter Niederlag over 9 years ago

pn@delle:/usr/local/typo3_src_git/trunk$ grep -r 'Ext.Direct.addProvider(Ext.app' *
t3lib/class.t3lib_pagerenderer.php: var provider = Ext.Direct.addProvider(Ext.app.ExtDirectAPI[api]);

sry, I didn't track the development on this. Is this ^^ code outdated and the cause of the problem?

#18 Updated by Kay Strobach over 9 years ago

@Peter:
For me the following line was the problem:

Ext.Direct.addProvider(Ext.app.ExtDirectAPI[api]);

so lets say yes!
I simply removed that line and everything was fine ;)

#19 Updated by Peter Niederlag over 9 years ago

Currently I just cant (re-)produce the error anymore.... so I let it stay for another while and see if it comes back again...

#20 Updated by Stefan Galinski over 9 years ago

Please always use the following API function to add the ext direct provider registration code!

$pageRenderer->addExtDirectCode();


This code can not be used anymore since the integration of the CSRF protection. Please keep this in mind and follow the ExtDirect documentation in the TYPO3 wiki.

Ext.Direct.addProvider(Ext.app.ExtDirectAPI[api]);

#21 Updated by Ernesto Baschny over 9 years ago

Please don't mix the issues!!!

The original post (from Jochen, see his description) was about the relogin, where security tokens are not valid anymore (because the old session might have expired). This is as far as I recall not completely solved yet.

The whole ExtDirect troubles are not "directly" related to this story, so consider opening another issue for that if this is still a problem in 4.5.0 final.

#22 Updated by Peter Niederlag over 9 years ago

so basicly 17203 and 17247 seem to be quite the same(?).

the problem is triggered by the timeout of the BE-Session.

Currently I use:
$TYPO3_CONF_VARS['BE']['showRefreshLoginPopup'] = '';

> After timeout and resubmitting my pw I (re)login but eventually will be faced with these erros until i reload the backend twice.

#23 Updated by Ernesto Baschny over 9 years ago

There are two different issues at relogin:

1) One is the ExtDirect calls, which are the worse part, because many parts of the BE which are not reloaded doesn't work anymore (pagetree, context sensitive help, ...). This should be fixed with #24870 (pending in core, please test).

2) The other are open forms which haven't been submitted yet: The token is in a hidden field, and if the session has expired in the meantime, the session data (including the original tokens) are gone, so when saving that form after the relogin won't be able to validate them.

To keep issues focused, I close this "generic" one and keep both new issues open:

for 1) => #24870
for 2) => #24870

Thanks!

Also available in: Atom PDF