Staying on the issue view page for a long time and then input something on comment form and submitting returned error #12794

Open
opened 2025-11-02 10:21:14 -06:00 by GiteaMirror · 2 comments
Owner

Originally created by @lunny on GitHub (Apr 8, 2024).

image

I guess because the session or the csrf is expired so that when click the submission button, it will return a redirect response. But the Ajax functions haven't catch that and an unrelated error displayed.

I think the best choice is leave this page and follow the redirect?

Originally created by @lunny on GitHub (Apr 8, 2024). <img width="1254" alt="image" src="https://github.com/go-gitea/gitea/assets/81045/11c83d42-3077-4f47-8c5c-ce8a646b74a7"> I guess because the session or the csrf is expired so that when click the submission button, it will return a redirect response. But the Ajax functions haven't catch that and an unrelated error displayed. I think the best choice is leave this page and follow the redirect?
GiteaMirror added the type/bug label 2025-11-02 10:21:14 -06:00
Author
Owner

@silverwind commented on GitHub (Apr 8, 2024):

Maybe we need to refresh the CSFR token via JS in both window.config and all active <form>s shortly before expiry. I guess a simple setTimeout on page load shall do.

@silverwind commented on GitHub (Apr 8, 2024): Maybe we need to refresh the CSFR token via JS in both `window.config` and all active `<form>`s shortly before expiry. I guess a simple `setTimeout` on page load shall do.
Author
Owner

@silverwind commented on GitHub (Apr 8, 2024):

If we are expiring crsf token, we shouldn't. E.g. only expire them at the end of the session.

@silverwind commented on GitHub (Apr 8, 2024): If we are expiring crsf token, we [shouldn't](https://security.stackexchange.com/a/56520). E.g. only expire them at the end of the session.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#12794