View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0004693 | Taler | Merchant frontends (Python3) | public | 2016-09-28 19:35 | 2024-01-12 14:08 |
Reporter | Florian Dold | Assigned To | Marcello Stanisci | ||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | git (master) | ||||
Target Version | 0.1 | Fixed in Version | 0.1 | ||
Summary | 0004693: bad error messages if user agent has cookies disabled | ||||
Description | When we get a user agent with disabled cookies, we should provide a better error message. Right now we just show some alert with error 400 and the "payment in progress" spinner. | ||||
Tags | No tags attached. | ||||
related to | 0004701 | closed | Marcello Stanisci | merchant frontends should have a proper error page |
|
Maybe we should deploy more advanced session management (without cookies): http://www.programmerinterview.com/index.php/php-questions/can-sessions-work-without-cookies/ Basically, the idea is to embed a session ID within a POST request via a hidden argument, and within a GET by appending a parameter. (As the latter is user-visible, the cookie can contain a checksum based on the client's IP address and a server-side secret, thereby preventing the session from being easily copied to another computer.) Django also has a bunch of provisions for session management: https://docs.djangoproject.com/en/1.10/topics/http/sessions/ So at least for PHP and Django, I'd expect that we should be able to fallback/use existing mechanisms to deal with this issue. |
|
Should have read the whole page first: >>>Session IDs in URLs<<< The Django sessions framework is entirely, and solely, cookie-based. It does not fall back to putting session IDs in URLs as a last resort, as PHP does. This is an intentional design decision. Not only does that behavior make URLs ugly, it makes your site vulnerable to session-ID theft via the “Referer” header. Hard to disagree with the ugly URLs, IP-hashing would make the session-ID theft at least tricky. Then again, maybe the answer is indeed to simply provide a saner error message for now. |
|
-1, because these things badly break navigation. Sure, we can have another demo / proof-of-concept with different session management, but it's a bad default, user-experience wise. Another concern is that when using Tor, you can't rely on the IP address. |
|
fixed in e27bd08, although it seems that the onError callback does not always get the same 'detail' format. For this bug, the 'hint' field is missing. |
Date Modified | Username | Field | Change |
---|---|---|---|
2016-09-28 19:35 | Florian Dold | New Issue | |
2016-09-29 00:31 | Christian Grothoff | Note Added: 0011198 | |
2016-09-29 00:34 | Christian Grothoff | Note Added: 0011199 | |
2016-09-29 00:34 | Florian Dold | Note Added: 0011200 | |
2016-10-07 00:32 | Christian Grothoff | Assigned To | => Marcello Stanisci |
2016-10-07 00:32 | Christian Grothoff | Status | new => assigned |
2016-10-07 00:32 | Christian Grothoff | Product Version | => 0.1 |
2016-10-07 00:32 | Christian Grothoff | Target Version | => 0.2 |
2016-10-07 00:32 | Christian Grothoff | Relationship added | related to 0004701 |
2016-10-11 17:19 | Marcello Stanisci | Note Added: 0011294 | |
2016-10-11 17:19 | Marcello Stanisci | Status | assigned => resolved |
2016-10-11 17:19 | Marcello Stanisci | Resolution | open => fixed |
2016-10-11 17:23 | Christian Grothoff | Product Version | 0.1 => git (master) |
2016-10-11 17:23 | Christian Grothoff | Fixed in Version | => 0.1 |
2016-10-11 17:23 | Christian Grothoff | Target Version | 0.2 => 0.1 |
2016-10-11 17:28 | Christian Grothoff | Status | resolved => closed |
2024-01-12 14:08 | Christian Grothoff | Category | merchant frontend (blog) => Merchant frontends (Python3) |