Skip to content
This repository has been archived by the owner on Feb 8, 2018. It is now read-only.

tip buttons broken #91

Closed
chadwhitacre opened this issue Jun 29, 2012 · 10 comments
Closed

tip buttons broken #91

chadwhitacre opened this issue Jun 29, 2012 · 10 comments

Comments

@chadwhitacre
Copy link
Contributor

This is a regression introduced with #88.

steps

  • visit a person on Gittip
  • click "GitHub" at bottom to authenticate
  • click a tip button

expected

Tip changes.

actual

403 from tip.json
@chadwhitacre
Copy link
Contributor Author

I'm not able to reproduce locally.

It's something in the cookie interaction. I wouldn't rule out a bug in Aspen's cookie implementation.

@chadwhitacre
Copy link
Contributor Author

When I first hit a page I see:

Set-Cookie:csrf_token=7YSfyblahblahblah; expires=Fri, 28 Jun 2013 16:38:48 GMT; Path=/

Then when I click "GitHub" and land back on the page I have:

Set-Cookie:csrf_token=7YSfyblahblahblah; expires=Fri, 28 Jun 2013 16:41:26 GMT; Path=/, session=6604537blahblahblah; expires=Fri, 06 Jul 2012 16:41:26 GMT; httponly; Path=/

Then when I click a tip button I get this from tip.json:

Set-Cookie:csrf_token=7YSfyblahblahblah; expires=Fri, 28 Jun 2013 16:45:07 GMT; Path=/, session=; expires=Thu, 01 Jan 1970 00:00:00 GMT; httponly; Path=/

@chadwhitacre
Copy link
Contributor Author

Locally when I first hit a page I see:

Set-Cookie:csrf_token=UBcpKXblahblahblah; expires=Fri, 28 Jun 2013 16:42:52 GMT; Path=/

Then when I land back at the page I get:

Set-Cookie:csrf_token=UBcpKXblahblahblah; expires=Fri, 28 Jun 2013 16:43:33 GMT; Path=/, session=f9520ablahblahblah; expires=Fri, 06 Jul 2012 16:43:33 GMT; httponly; Path=/

When I tip I get this from tip.json:

Set-Cookie:csrf_token=UBcpKXblahblahblah; expires=Fri, 28 Jun 2013 16:46:04 GMT; Path=/, session=f9520ablahblahblah; expires=Fri, 06 Jul 2012 16:46:04 GMT; httponly; Path=/

@chadwhitacre
Copy link
Contributor Author

So the session is cleared somehow when I hit tip.json. This happens in production but not locally. Does the server receive the session token and fail to set it again on the way out? Or does the server not receive the session token?

@chadwhitacre
Copy link
Contributor Author

It happens in production from all three of these pages:

  • my personal page, the buttons for the people I tip
  • a claimed account /foo/
  • an unclaimed account /github/foo/

@chadwhitacre
Copy link
Contributor Author

It only happens for tip.json. I can otherwise browse around the site and not have my session dropped.

Oh! I bet it's the is_secure check. That's an environmental difference.

chadwhitacre added a commit that referenced this issue Jun 29, 2012
@chadwhitacre
Attempt to fix regression with tip button (#91)
5556fd8 
In porting crsf.py from Django I neglected to clean up an API call for
accessing the Referer header.
@chadwhitacre
Copy link
Contributor Author

Let's see if that does it ...

@chadwhitacre
Copy link
Contributor Author

Okay, appears to have worked.

@chadwhitacre
Copy link
Contributor Author

Phew!

@chadwhitacre
Copy link
Contributor Author

Scrappy not-even-really-a-startup could use some best practices. :-/

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chadwhitacre