Hello Grant, > > So - the question is, what is it about your setup, that causes the csrf_token > value on the rendered web-page, to not-match the CSRF token stored in your > login-session. I can think of ways to make that happen - but they would all > break everyone's pages everywhere, every single time. I am having no luck > finding a path through the code that would result in > > * session.token != page.token, and > * your login-session still valid > > and only for *some*pages/actions. Ugh.
I did some more testing and I have only problems with forms using method=„POST“. For example the search form in the upper right corner, which uses method=„GET“, is working fine with IE. > > If you use Firefox or Chrome against your SW instance, is the problem still > reproducible? Every other Browser I tested with, everything is OK: Chrome 42.0.2311.135 (64-bit) on Mac Chrome 40.0.2214.115 on Windows Firefox 37.0.1 on Windows and Mac Safari 8.0.6 on Mac > > Does the behavior change in IE if you change to/from compatibility-mode? No, no change. But now it gets weirder: I had a look into the browser built-in developer tools to check if the correct csrf_token is sent. As far as I can see, all my browsers send the right token in the POST-request. At least it is the same as in the HTML sourcecode. BUT when I use the developer tools within Safari on my Mac, I get the same error as with IE. When I close the developer tools, then click on a different tab to get a new csrf_token, then everything is working again. All during the same session. Is it perhaps possible that there is some javascript which triggers a change of the csrf_token after the HTML is sent to the browser? Depending on the timing of the browser-engine? As a side note: Some forms contain the csrf_token twice (with the same value) in the POST data, but this is the case with every browser, so I don’t think this is a problem at all. Regards, Bernhard
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
