Project

General

Profile

Actions

Defect #7651

open

'Invalid form authenticity token' when updating issue causes dataloss

Added by sam marshall almost 14 years ago. Updated about 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Issues
Target version:
-
Start date:
2011-02-18
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

When updating an issue to add a comment, if your session is no longer valid, you receive the error:

'Invalid form authenticity token.'

While this part is correct behaviour, it causes dataloss because:

a) The page with the error does not contain the text of the comment you submitted.
b) At least in Firefox 3.6, the Back button returns to the issue you were updating, but without the text.

I don't operate the redmine server in question, but I verified that this still occurs on demo.redmine.org, so it is a current issue.

To reproduce:

0. Use the Firefox browser with web developer extension (or any other browser with similar features)

1. Go to an issue
2. Click Update
3. Type some text into a comment
4. In the web developer toolbar, choose Cookies / Clear Session Cookies
5. Submit the comment
6. Error page appears

Actual behaviour:

Error page does not contain text you entered in #3. If you click the Back button, you are returned to the form but without your text.

Expected behaviour:

Error page should additionally contain the text of the comment you entered. Or, alternatively, the Back button should take you to the update page that includes your text.

Notes:

1) Clearing session cookies is fairly common behaviour when testing web applications. While it's obvious that doing this will break a Redmine session (i.e. you shouldn't do it), Redmine doesn't have to add injury to insult by causing annoying dataloss as a result.

2) Other form data is probably lost too but who cares - it's the potentially page-long comment that can be really annoying.

3) I haven't verified what happens with other update form errors such as simultaneous edit. If the same thing happens there, then those could benefit from being fixed, too.


Related issues

Has duplicate Redmine - Feature #30733: Keep submitted form data when updating an issue with an expired authentication tokenNew

Actions
Has duplicate Redmine - Defect #17588: Warn that the authenticity token is invalid before you get the textarea to edit issuesNew

Actions
Has duplicate Redmine - Feature #10569: Save user data on invalid form authenticity tokenNew

Actions
Actions

Also available in: Atom PDF