View Issue Details

IDProjectCategoryView StatusLast Update
0004693Talermerchant frontend (blog)public2016-10-11 17:28
ReporterFlorian DoldAssigned ToMarcello Stanisci 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product VersionSVN HEAD 
Target Version0.1Fixed in Version0.1 
Summary0004693: bad error messages if user agent has cookies disabled
DescriptionWhen we get a user agent with disabled cookies, we should provide a better error message.

Right now we just show some alert with error 400 and the "payment in progress" spinner.
TagsNo tags attached.

Relationships

related to 0004701 closedMarcello Stanisci merchant frontends should have a proper error page 

Activities

Christian Grothoff

2016-09-29 00:31

manager   ~0011198

Maybe we should deploy more advanced session management (without cookies):

http://www.programmerinterview.com/index.php/php-questions/can-sessions-work-without-cookies/

Basically, the idea is to embed a session ID within a POST request via a hidden argument, and within a GET by appending a parameter. (As the latter is user-visible, the cookie can contain a checksum based on the client's IP address and a server-side secret, thereby preventing the session from being easily copied to another computer.)

Django also has a bunch of provisions for session management:
https://docs.djangoproject.com/en/1.10/topics/http/sessions/

So at least for PHP and Django, I'd expect that we should be able to fallback/use existing mechanisms to deal with this issue.

Christian Grothoff

2016-09-29 00:34

manager   ~0011199

Should have read the whole page first:

>>>Session IDs in URLs<<<

The Django sessions framework is entirely, and solely, cookie-based. It does not fall back to putting session IDs in URLs as a last resort, as PHP does. This is an intentional design decision. Not only does that behavior make URLs ugly, it makes your site vulnerable to session-ID theft via the “Referer” header.


Hard to disagree with the ugly URLs, IP-hashing would make the session-ID theft at least tricky. Then again, maybe the answer is indeed to simply provide a saner error message for now.

Florian Dold

2016-09-29 00:34

manager   ~0011200

-1, because these things badly break navigation.

Sure, we can have another demo / proof-of-concept with different session management, but it's a bad default, user-experience wise.

Another concern is that when using Tor, you can't rely on the IP address.

Marcello Stanisci

2016-10-11 17:19

manager   ~0011294

fixed in e27bd08, although it seems that the onError callback does not always get the same 'detail' format. For this bug, the 'hint' field is missing.

Issue History

Date Modified Username Field Change
2016-09-28 19:35 Florian Dold New Issue
2016-09-29 00:31 Christian Grothoff Note Added: 0011198
2016-09-29 00:34 Christian Grothoff Note Added: 0011199
2016-09-29 00:34 Florian Dold Note Added: 0011200
2016-10-07 00:32 Christian Grothoff Assigned To => Marcello Stanisci
2016-10-07 00:32 Christian Grothoff Status new => assigned
2016-10-07 00:32 Christian Grothoff Product Version => 0.1
2016-10-07 00:32 Christian Grothoff Target Version => 0.2
2016-10-07 00:32 Christian Grothoff Relationship added related to 0004701
2016-10-11 17:19 Marcello Stanisci Note Added: 0011294
2016-10-11 17:19 Marcello Stanisci Status assigned => resolved
2016-10-11 17:19 Marcello Stanisci Resolution open => fixed
2016-10-11 17:23 Christian Grothoff Product Version 0.1 => SVN HEAD
2016-10-11 17:23 Christian Grothoff Fixed in Version => 0.1
2016-10-11 17:23 Christian Grothoff Target Version 0.2 => 0.1
2016-10-11 17:28 Christian Grothoff Status resolved => closed