Hello,
I'm working on an application that allows users to upload large or lots of
files, either way it may take a lot of time. I have an upload form that
uses SWFUpload for file transfer and after it finishes the form is
submitted. This results in submissions happening a considerable amount of
time after the form is generated.
I'm also using the Security component for CSRF protection and some of my
users are encountering the "request blackholed" error (which is annoying
when it happens after e.g. 40 minutes of uploading files).
This is my configuration:
- Session
- defaults => php
- timeout => 120
- cookieTimeout => 0
- Security
- csrfExpires => +6 hour
- csrfUseOnce => false
I would expect that with these settings no user should get the "request
blackholed" error if their upload takes less than 2 hours.
Based on the data in my DB I can infer that the users get the error within
one hour so clearly something is not right.
Am I missing some more settings that could influence this?
Also, I have disabled the csrfUseOnce to fix problems with page reloading,
going back etc.
But doesn't it mean that if a user is interacting with the page for 6 hours
then the form generated before the 6-hour mark and submitted after that
mark will be blackholed? Maybe this is what has happened?
What would you recommend to make this robust? I could work around the
session timeout by making keep-alive requests to the server (to some extent
this is already happening as the session is updated with each uploaded
file). Maybe I should make my own CSRF protection that can also use such an
approach to token expiration?
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
