What I understand from your original post is that you are trying to find a way to access the __FORM_TOKEN value from the web page. I don't have Trac 10.4, so I'm not sure how helpful this may be.
I have noticed Trac set three different cookies: trac_form_token, trac_session, and trac_auth. "trac_session" seems to be set before you login, if the system allows anonymous access, but I might be wrong. Once the user authenticates himself, Trac seems to set "trac_auth". In all cases the "New Ticket" page sets the "trac_form_token" cookie. This value is the same as the value stored in the "__FORM_TOKEN" hidden field. So if you can read the browser cookies from Flash, then you can read "trac_form_token" and "trac_auth" and send along with the rest of your POST from Flash. What puzzles me is: In a prior message you mentioned seeing "trac_form_token" in Firebug, so if Flash is automatically sending "trac_form_token" (which is the cookie and not the hidden field), then it should also be sending the "trac_auth" cookie, and you shouldn't have this problem, which brings us back to square one. :( On Wed, Aug 26, 2009 at 8:20 PM, Indika Jayasinghe<[email protected]> wrote: > I would like to add something to what Jake said: Make sure (using > something like the Live HTTP Headers plugin for Firefox) that the > "trac_auth" value which is transmitted by Flash is the same as that > transmitted when you perform a regular form submit. Trac uses this > value to identify the browser session. So it won't do you much good to > send the __FORM_TOKEN if you don't send the trac_auth value that goes > with it. > > > > On Wed, Aug 26, 2009 at 1:30 PM, Erik Bray<[email protected]> wrote: >> >> On Thu, Aug 20, 2009 at 3:10 PM, jbiesinger<[email protected]> wrote: >>> >>> I have a question on using Flash to post to trac 10.4-- I have a >>> simple flash page embedded into one of my template pages which I'd >>> like to be able to post back to trac. The post uses a single variable >>> "buttonVar." But when trying to post, I get a 400 error and the logs >>> say "WARNING: 400 Bad Request (Missing or invalid form token. Do you >>> have cookies enabled?)" >>> >>> The header for the post (as viewed by FireBug) includes >>> trac_form_token so I'm not sure why trac isn't seeing it but then >>> again I'm not doing anything special in Flash to include the >>> trac_form_token. I know in the newer versions of trac you can have a >>> hidden form called trac_form_token and trac will embed the form token >>> directly, allowing you to read it from flash or javascript or >>> whatever, but is that possible using 10.4? Is there another way to >>> allow the post but maintain the security of the trac_form_token? >>> >>> >>> Trac version 10.4 >>> Python 2.4.4 >>> >>> Thanks! >>> Jake Biesinger >> >> The value of the form token should be in a cookie "trac_form_token". >> I don't know much about Flash or action script, but I assume it's >> possible to retrieve a cookie value. Then just send the token as the >> value of a "__FORM_TOKEN" argument in your POST request. >> >> >> >> > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~----------~----~----~----~------~----~------~--~---
