Project

General

Profile

Actions

Bug #24755

closed

Re: issue #24715 - problem still exists in 4.5.0rc1

Added by Jochen Weiland almost 14 years ago. Updated almost 14 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2011-01-23
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

followup to 17203
When be session expires and i re-enter the password evetually some Errors show up in the BE ===================

According to SK the fix from issue #24715 has been commited to RC1, but I can still reproduce it there at re-login (in this case in the form displayed by Web>Template>Info/Modify>Edit whole template record>Includes.

Error msg:

ExtDirect: Invalid Security Token!

Backtrace:

#0 [internal function]: t3lib_extjs_ExtDirectRouter->route(Array, Object(TYPO3AJAX))
#1 /.../typo3_src-4.5.0rc1/t3lib/class.t3lib_div.php(5134): call_user_func_array(Array, Array)
#2 /.../typo3_src-4.5.0rc1/typo3/ajax.php(73): t3lib_div::callUserFunction('t3lib/extjs/cla...', Array, Object(TYPO3AJAX), false, true)
#3 {main}

(issue imported from #M17247)


Files

17247.diff (971 Bytes) 17247.diff Administrator Admin, 2011-01-23 18:21
17247_v2.diff (395 Bytes) 17247_v2.diff Administrator Admin, 2011-01-25 20:31

Related issues 5 (0 open5 closed)

Related to TYPO3 Core - Bug #24715: The ExtDirect token needs to be regenerated after relogin by popup windowClosedHelmut Hummel2011-01-22

Actions
Related to TYPO3 Core - Bug #24671: Protect C(R)UD actions against CSRFClosedErnesto Baschny2011-01-20

Actions
Related to TYPO3 Core - Bug #24808: Unnecessary message about security tokenClosedHelmut Hummel2011-01-25

Actions
Related to TYPO3 Core - Bug #24873: Open forms cannot be saved after "Relogin" (Security Token errors)ClosedSteffen Kamper2011-01-28

Actions
Related to TYPO3 Core - Bug #24870: Regression: The ExtDirect token needs to be regenerated after relogin by popup windowClosedErnesto Baschny2011-01-28

Actions
Actions #1

Updated by Helmut Hummel almost 14 years ago

As a temporary solution, could you please try the attached patch?

Actions #2

Updated by Kay Strobach almost 14 years ago

have the same problem with extdirect stores which worked until some days before ...

These code snipepts are part of ext:ks_sitemgr

I do use ExtDirect with stores and get:

0 [internal function]: t3lib_extjs_ExtDirectRouter->route(Array,
Object(TYPO3AJAX))
#1 <..>\t3-4_5\t3lib\class.t3lib_div.php(5134):
call_user_func_array(Array, Array)
#2 <..>\t3-4_5\typo3\ajax.php(73):
t3lib_div::callUserFunction('t3lib/extjs/cla...', Array,
Object(TYPO3AJAX), false, true)
#3 {main}

I used the following code to register my extdirect functions:
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['ExtDirect']['TYPO3.ks_sitemgr.tabs'] =
'EXT:ks_sitemgr/lib/class.tx_ks_sitemgr_direct.php:tx_ks_sitemgr_direct';

So where is the problem?

The extension uses the above called class to call subfunctions (routing)
as it allows to register some childrens.

Actions #3

Updated by Helmut Hummel almost 14 years ago

Did you try if the attached patch solves the issue?

Actions #4

Updated by Kay Strobach almost 14 years ago

patched,
cleared cache,
logged out,
same problem. :(((

ExtDirect: Invalid Security Token!
Backtrace:

#0 [internal function]: t3lib_extjs_ExtDirectRouter->route(Array, Object(TYPO3AJAX))
#1 E:\devenv\mowesII\www\t3-4_5\t3lib\class.t3lib_div.php(5134): call_user_func_array(Array, Array)
#2 E:\devenv\mowesII\www\t3-4_5\typo3\ajax.php(73): t3lib_div::callUserFunction('t3lib/extjs/cla...', Array, Object(TYPO3AJAX), false, true)
#3 {main}

Actions #5

Updated by Kay Strobach almost 14 years ago

there is no need to reloging (i assume expiring session) to reproduce the problem i described above - it's always there

Actions #6

Updated by Kay Strobach almost 14 years ago

for me this is a blocker - is there a solution on the horizon?

Actions #7

Updated by Helmut Hummel almost 14 years ago

The Ext stuff can be fixed (the Ext-Exceptions will not show up any more), but if there is any open form which has form tokens in it, they will be invalid. I have no solution for that.

Actions #8

Updated by Kay Strobach almost 14 years ago

my extension loads 4 stores after onReady is thrown - all the stores are empty, as there are these f*** exceptions ...

It's ok to show up the exceptions to see that there is an error - but there must be a solution to fix that and get my extension working again.
it worked 2 years now ;) and short before 4.5 release it's broken - that's what frustrates me - why not in the beta's.
So for me the integration came to late :(( - even if i would like to have such a securityfeature.

will there be a way to disable this protection mechanism?

additionally i was not able to delete a template record via listmodule contextmenu (workaround edit > click on trashbin in tceform)

Actions #9

Updated by Helmut Hummel almost 14 years ago

Attached patch solves the issue by reloading the backend after login.

Sorry, no other solution atm.

Actions #10

Updated by Kay Strobach almost 14 years ago

no sry, i updated to trunk and repatched with you v2 - same problem

clicking on Web > List first time shows the following error 3 times:
Die Validierung des Sicherheitstokens dieses Formulars ist fehlgeschlagen. Bitte laden Sie das Formular erneut und schicken Sie es dann noch einmal ab.

clicking in trunk 10309 on Web > List first time shows the following error 5 times:
Die Validierung des Sicherheitstokens dieses Formulars ist fehlgeschlagen. Bitte laden Sie das Formular erneut und schicken Sie es dann noch einmal ab.

Actions #11

Updated by Helmut Hummel almost 14 years ago

Kay, sorry for any inconvenience and yes I agree it would have been better to integrate this earlier. Nevertheless, please stay pollite, thanks.

Now to the issue. This only happens is the user session is lost anyway.

So reloading the backend is the only solution I have.

Actions #12

Updated by Kay Strobach almost 14 years ago

Hi Helmut,

i meant you don't need to be sorry with the words : "no, sry"

It's fully ok to have bugs/problems in the pre release phase. I would also change everything what needs to be done to upgrade my extensions.

i would also like to help with more information if you tell me what i can tell you to find a solution (i try to answer fast, because of the sheduled release date ;)

I also examined the new extensionmanager to find a solution as it seems to work quite well with the new xsrf protection - i can't find any difference in typo3/sysext/em/res/js/em_languages.js to my store.

Thanks

Actions #13

Updated by Helmut Hummel almost 14 years ago

Kay, after debugging your code I found the problem.

Just remove the following line in your extjs.js:
Ext.Direct.addProvider(Ext.app.ExtDirectAPI['TYPO3.ks_sitemgr']);

This might have worked previously, but was not the right way to do it.

If you remove it, the the token gets automatically injected in the call of your application and makes it more secure en passant. Nice isn't it?

Now you owe me a beer ;)

Actions #14

Updated by Kay Strobach almost 14 years ago

you are a god ;)

I used a tutorial to generate the TYPO3 specific stuff :(

But you're right the current wiki article (i don't know if that was the tutorial) doesn't mention the above function.
http://wiki.typo3.org/ExtDirect

I added a hint about how to solve that problem http://wiki.typo3.org/ExtDirect#ExtDirect:_Invalid_Security_Token.21 .

How can i owe you a beer? Sadly never found the time to visit a T3con/BarCamp - so that can be hard if there isn't a different way ;)

THANKS a lot
Kay

Actions #15

Updated by Steffen Gebert almost 14 years ago

Jochen, can you confirm that this issue is fixed?

Actions #16

Updated by Peter Niederlag almost 14 years ago

I can confirm this issue on https://svn.typo3.org/TYPO3v4/Core/trunk@10332 2010-01-26 13:00 (which is more recent than RC3!)

Actions #17

Updated by Peter Niederlag almost 14 years ago

pn@delle:/usr/local/typo3_src_git/trunk$ grep -r 'Ext.Direct.addProvider(Ext.app' *
t3lib/class.t3lib_pagerenderer.php: var provider = Ext.Direct.addProvider(Ext.app.ExtDirectAPI[api]);

sry, I didn't track the development on this. Is this ^^ code outdated and the cause of the problem?

Actions #18

Updated by Kay Strobach almost 14 years ago

@Peter:
For me the following line was the problem:

Ext.Direct.addProvider(Ext.app.ExtDirectAPI[api]);

so lets say yes!
I simply removed that line and everything was fine ;)

Actions #19

Updated by Peter Niederlag almost 14 years ago

Currently I just cant (re-)produce the error anymore.... so I let it stay for another while and see if it comes back again...

Actions #20

Updated by Stefan Galinski almost 14 years ago

Please always use the following API function to add the ext direct provider registration code!

$pageRenderer->addExtDirectCode();


This code can not be used anymore since the integration of the CSRF protection. Please keep this in mind and follow the ExtDirect documentation in the TYPO3 wiki.

Ext.Direct.addProvider(Ext.app.ExtDirectAPI[api]);

Actions #21

Updated by Ernesto Baschny almost 14 years ago

Please don't mix the issues!!!

The original post (from Jochen, see his description) was about the relogin, where security tokens are not valid anymore (because the old session might have expired). This is as far as I recall not completely solved yet.

The whole ExtDirect troubles are not "directly" related to this story, so consider opening another issue for that if this is still a problem in 4.5.0 final.

Actions #22

Updated by Peter Niederlag almost 14 years ago

so basicly 17203 and 17247 seem to be quite the same(?).

the problem is triggered by the timeout of the BE-Session.

Currently I use:
$TYPO3_CONF_VARS['BE']['showRefreshLoginPopup'] = '';

> After timeout and resubmitting my pw I (re)login but eventually will be faced with these erros until i reload the backend twice.

Actions #23

Updated by Ernesto Baschny almost 14 years ago

There are two different issues at relogin:

1) One is the ExtDirect calls, which are the worse part, because many parts of the BE which are not reloaded doesn't work anymore (pagetree, context sensitive help, ...). This should be fixed with #24870 (pending in core, please test).

2) The other are open forms which haven't been submitted yet: The token is in a hidden field, and if the session has expired in the meantime, the session data (including the original tokens) are gone, so when saving that form after the relogin won't be able to validate them.

To keep issues focused, I close this "generic" one and keep both new issues open:

for 1) => #24870
for 2) => #24870

Thanks!

Actions

Also available in: Atom PDF