View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0004693||Taler||merchant frontend (blog)||public||2016-09-28 19:35||2016-10-11 17:28|
|Reporter||Florian Dold||Assigned To||Marcello Stanisci|
|Priority||normal||Severity||minor||Reproducibility||have not tried|
|Product Version||git (master)|
|Target Version||0.1||Fixed in Version||0.1|
|Summary||0004693: bad error messages if user agent has cookies disabled|
|Description||When we get a user agent with disabled cookies, we should provide a better error message.|
Right now we just show some alert with error 400 and the "payment in progress" spinner.
|Tags||No tags attached.|
Maybe we should deploy more advanced session management (without cookies):
Basically, the idea is to embed a session ID within a POST request via a hidden argument, and within a GET by appending a parameter. (As the latter is user-visible, the cookie can contain a checksum based on the client's IP address and a server-side secret, thereby preventing the session from being easily copied to another computer.)
Django also has a bunch of provisions for session management:
So at least for PHP and Django, I'd expect that we should be able to fallback/use existing mechanisms to deal with this issue.
Should have read the whole page first:
>>>Session IDs in URLs<<<
The Django sessions framework is entirely, and solely, cookie-based. It does not fall back to putting session IDs in URLs as a last resort, as PHP does. This is an intentional design decision. Not only does that behavior make URLs ugly, it makes your site vulnerable to session-ID theft via the “Referer” header.
Hard to disagree with the ugly URLs, IP-hashing would make the session-ID theft at least tricky. Then again, maybe the answer is indeed to simply provide a saner error message for now.
-1, because these things badly break navigation.
Sure, we can have another demo / proof-of-concept with different session management, but it's a bad default, user-experience wise.
Another concern is that when using Tor, you can't rely on the IP address.
||fixed in e27bd08, although it seems that the onError callback does not always get the same 'detail' format. For this bug, the 'hint' field is missing.|
|2016-09-28 19:35||Florian Dold||New Issue|
|2016-09-29 00:31||Christian Grothoff||Note Added: 0011198|
|2016-09-29 00:34||Christian Grothoff||Note Added: 0011199|
|2016-09-29 00:34||Florian Dold||Note Added: 0011200|
|2016-10-07 00:32||Christian Grothoff||Assigned To||=> Marcello Stanisci|
|2016-10-07 00:32||Christian Grothoff||Status||new => assigned|
|2016-10-07 00:32||Christian Grothoff||Product Version||=> 0.1|
|2016-10-07 00:32||Christian Grothoff||Target Version||=> 0.2|
|2016-10-07 00:32||Christian Grothoff||Relationship added||related to 0004701|
|2016-10-11 17:19||Marcello Stanisci||Note Added: 0011294|
|2016-10-11 17:19||Marcello Stanisci||Status||assigned => resolved|
|2016-10-11 17:19||Marcello Stanisci||Resolution||open => fixed|
|2016-10-11 17:23||Christian Grothoff||Product Version||0.1 => git (master)|
|2016-10-11 17:23||Christian Grothoff||Fixed in Version||=> 0.1|
|2016-10-11 17:23||Christian Grothoff||Target Version||0.2 => 0.1|
|2016-10-11 17:28||Christian Grothoff||Status||resolved => closed|