POST request fails if user not authenticated

Bug #2115 reported by Paul Sladen
16
Affects Status Importance Assigned to Milestone
Launchpad itself
Won't Fix
Low
Unassigned

Bug Description

A page submit using a POST request fails with the message:

  Application error. Unauthenticated user POSTing to page that requires authentication.

if the user is not logged in. This can happen when somebody has been editing a page/form and Launchpad's session database has been purged in the mean-time. This leads to data loss, particularly if the /previous/ page was call generated by a POST and marked uncachable (meaning it's not even possible to go backwards and copy+paste the data elsewhere).

In the above situation, the user should be directed to login to Launchpad and then save the data after this has happened.

Revision history for this message
Paul Sladen (sladen) wrote :

I've just lost a large post to 2117, because of the above bug! (Pressing back caused the page to be reloaded because of the [sodding] uncachability---and hence lose the post that wasn't able to be submitted).

This is a bug that I've experienced *enough times* in my first 24 hours of trying to use Malone that I'm wondering if I can really be bothered to waste time writing details if there is a 33% of losing them.

Yes, this is 10x more annoying that not being able to post a bug-report in the first place.

Revision history for this message
Christian Reis (kiko) wrote :

It's interesting that I never encountered an uncacheability problem with a Malone bug page, though. I suspect this bug is a dupe, but I need to find it.

Revision history for this message
Paul Sladen (sladen) wrote :

Of the two parts, it's very easy to verify the first part. By going to:

  https://launchpad.net/products/malone/+filebug

and then deleting the launchpad.net authenication cookie in your web-browser. Submitting the page now results in the message about an Unauthenicated User.

For part two, the other possibility is that the text is/was disappearing behind the ''Add a comment to this bug'' drop down. Some javascript would probably solve this by expanding the drop-down if the contents are found to be != "".

Brad Bollenbach (bradb)
Changed in malone:
assignee: nobody → bradb
status: New → Accepted
Changed in malone:
assignee: bradb → stevea
Revision history for this message
Stuart Bishop (stub) wrote :

Authentication is now (very) persistant, so this bug should rarely bite people now.

Revision history for this message
Paul Sladen (sladen) wrote : Re: POST request fails if user not authenticated (eg. launchpad restarted)

I think this is pretty much fixed now I think :)

Revision history for this message
Matthew Paul Thomas (mpt) wrote :

Not as important now, because it occurs only if you clear your cookies. But it's still a problem that (for example) Bugzilla has solved.

Changed in launchpad:
importance: Medium → Low
Changed in launchpad:
assignee: stevea → nobody
Revision history for this message
Andrea Corbellini (andrea.corbellini) wrote :

<m-c> Getting an "Application error." when trying to reset user password, on Launchpad.
<andrea-bs> m-c: do you get an OOPS?
<m-c> andrea-bs: The complete error is, "Application error. Unauthenticated user POSTing to page that requires authentication."
<m-c> This is immediately after completing the "Reset password" form.
<andrea-bs> m-c: this seems a browser problem, not a launchpad issue
<andrea-bs> m-c: which web browser are you using?
<m-c> Are there third-party cookies that I need to allow? I am using Firefox 3 (default with Ubuntu 8.04.1).
<andrea-bs> m-c: I've tried to reset my password wit FF3 and I get no error, can you tell me which is the exact page where you get the error, please?
<m-c> Let me try it again. The page I was repeatedly getting errors, previously was: " https://edge.launchpad.net/token/qrZdBgTtSm332KLBmD6B/+resetpassword "
<andrea-bs> m-c: this seems bug #2115, can you confirm this?
<ubottu> Launchpad bug 2115 in launchpad "POST request fails if user not authenticated (eg. launchpad restarted)" [Low,Confirmed] https://launchpad.net/bugs/2115
<m-c> Just tried it again, with the same results. Going to look at the bug now.
<andrea-bs> m-c: what happens deleting your cookies?
<m-c> I am not real eager to delete all my cookies...
<m-c> But for the sake of Launchpad, I will give it a try!
<andrea-bs> m-c: you can delete just the .launchpad.net cookies if you prefer
<m-c> After removing all cookies, I was able to login, thank you very much!

Revision history for this message
Leonard Richardson (leonardr) wrote :

I ran into this error while working on the launchpadlib trusted client. I'm sniffing this string to provide a good user experience. My code would be more robust if this error was accompanied by a 401 response code ("Unauthorized") instead of 500 ("Internal Server Error").

Revision history for this message
Robert Collins (lifeless) wrote :

I've tweaked the description because it was inaccurate (we restart LP very often - the session database is persistent). That said, while I can imagine possible improvements here, dealing with anonymous POST is really very tricky, and I think we're better off not doing that on the server side: better for client browsers to let users retry (which they do) - and the user to just log in in another tab and hit the retry button on their browser.

summary: - POST request fails if user not authenticated (eg. launchpad restarted)
+ POST request fails if user not authenticated
description: updated
Revision history for this message
Robert Collins (lifeless) wrote :

If we OOPS when this happens, we can and should fix that.

Changed in launchpad:
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Related blueprints