RGRA portal stealth post feature

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • zaimoni
    Knight
    • Apr 2007
    • 590

    RGRA portal stealth post feature

    Just had an unpleasant re-surprise (was only half-awake, so didn't take full usual precautions against double-posting from Oook RGRA portal). Note that I normally use the dedicated RGRA login rather than the forum login.

    I am not used to the following sequence generating a post:
    * being asked to login in, so...panic; instead of filling out the login form per correct checklist on my end, hit the back button (to recover post content; panic precludes noticing that I just copied the whole post content into the clipboard just-in-case).
    * Blank post composition screen comes up rather than the content of the intended post (ok)...*but* the post gets sent out anyway (bug).

    The back button not only re-logged me in (not normal behavior for a web application, but can be caused by appropriate http headers), it sent out the original composed post as well (exceptionally not-normal behavior) without suggesting it had done so (bug).

    This isn't the first time this has happened to me when half-awake. It just occurred to me that this combination of features would also cause double-posting for RGRA portal newbies used to standard web application back button behavior.

    Does the architecture permit a quick alteration that does exactly one of the following:
    * blocks posting when the back button is used?
    * correctly informs the user that their post has been submitted to USENET?

    Target browser is SeaMonkey 1.1.7; FireFox was forked from SeaMonkey back when SeaMonkey was the Mozilla suite.
    Zaiband: end the "I shouldn't have survived that" experience. V3.0.6 fork on Hg.
    Zaiband 3.0.10 ETA Mar. 7 2011 (Yes, schedule slipped. Latest testing indicates not enough assert() calls to allow release.)
    Z.C++: pre-alpha C/C++ compiler system (usable preprocessor). Also on Hg. Z.C++ 0.0.10 ETA December 31 2011
  • Nick
    Vanilla maintainer
    • Apr 2007
    • 9637

    #2
    Originally posted by zaimoni
    This isn't the first time this has happened to me when half-awake. It just occurred to me that this combination of features would also cause double-posting for RGRA portal newbies used to standard web application back button behavior.
    I have double-posted to rgra more than once by this method, using SeaMonkey and/or Firefox (and possibly even IE).
    One for the Dark Lord on his dark throne
    In the Land of Mordor where the Shadows lie.

    Comment

    • pav
      Administrator
      • Apr 2007
      • 793

      #3
      Well I'm not entirely sure what's going on for you. You are not allowed to fill in the post without not being already logged in, right?

      So somehow the website logs you off when you hit Post button, and when you hit the back button it posts the article? I find that very hard to believe.
      See the elves and everything! http://angband.oook.cz

      Comment

      • zaimoni
        Knight
        • Apr 2007
        • 590

        #4
        Originally posted by pav
        Well I'm not entirely sure what's going on for you. You are not allowed to fill in the post without not being already logged in, right?
        Yes, explicit login is required befores starting to compose the post.
        Originally posted by pav
        So somehow the website logs you off when you hit Post button,
        The login times out on its usual 15-20ish minute schedule when using the RGRA portal login, yes. I often need longer than this to properly proofread a USENET post.
        Originally posted by pav
        and when you hit the back button it posts the article? I find that very hard to believe.
        RGRD, "LOS/FOV vs. Line of Fire": my first reply was double-posted with this bug.

        It's not at all hard to believe. All that's required is that the back button resubmit the login form (which I can look up both how to do and prevent; I just would never design a web application to break the back button this way. I'm composing on the page generated at login) -- and that the content of the attempted post be matched with the login credentials. The form content definitely was sent in, the page requiring re-login came up in response to the failed posting.

        However, doing what's expected (entering the login credentials) doesn't cause the posting. Just the back button to the page generated at login.
        Zaiband: end the "I shouldn't have survived that" experience. V3.0.6 fork on Hg.
        Zaiband 3.0.10 ETA Mar. 7 2011 (Yes, schedule slipped. Latest testing indicates not enough assert() calls to allow release.)
        Z.C++: pre-alpha C/C++ compiler system (usable preprocessor). Also on Hg. Z.C++ 0.0.10 ETA December 31 2011

        Comment

        • pav
          Administrator
          • Apr 2007
          • 793

          #5
          I still don't get it. You log in, fill in the post, submit, get login form. At that point, you hit back - but there's no post content in that request! Only thing I can think of is hitting Reload.

          Also, you surely had to confirm the warning box about re-submitting POST content, haven't you?
          See the elves and everything! http://angband.oook.cz

          Comment

          • zaimoni
            Knight
            • Apr 2007
            • 590

            #6
            Originally posted by pav
            I still don't get it. You log in, fill in the post, submit, get login form. At that point, you hit back - but there's no post content in that request!
            Correct; the repost on back would only have login credentials.
            Originally posted by pav
            Only thing I can think of is hitting Reload.
            That's not even adjacent to Back either on keyboard or GUI.
            Originally posted by pav
            Also, you surely had to confirm the warning box about re-submitting POST content, haven't you?
            SeaMonkey doesn't have that warning box reposting POST forms with the reload key. I have no reason to think I'd get one on a back-button induced form repost.

            (Exhaustively checks options.) SeaMonkey has no obvious configuration options for this.
            Zaiband: end the "I shouldn't have survived that" experience. V3.0.6 fork on Hg.
            Zaiband 3.0.10 ETA Mar. 7 2011 (Yes, schedule slipped. Latest testing indicates not enough assert() calls to allow release.)
            Z.C++: pre-alpha C/C++ compiler system (usable preprocessor). Also on Hg. Z.C++ 0.0.10 ETA December 31 2011

            Comment

            • pav
              Administrator
              • Apr 2007
              • 793

              #7
              So how does this happen?

              You type in a post, hit submit, fill in login, hit submit, then hit back? That would lead to the post - but it's hardly sneaky, you should be getting Your post have been sent. message in any case.

              Other than that, there's something weird going on with your browser. Or I don't know.
              See the elves and everything! http://angband.oook.cz

              Comment

              • zaimoni
                Knight
                • Apr 2007
                • 590

                #8
                Originally posted by pav
                So how does this happen?

                You type in a post, hit submit, fill in login, hit submit, then hit back?
                As originally stated:
                * type in post (on page generated immediately after login)
                * hit submit, get login page
                * hit back.

                That's sufficient to get the intercepted post to reach a supported newsgroup. Which would be fine if I got "your message has been posted", but what actually arrives is the composition textarea.
                Zaiband: end the "I shouldn't have survived that" experience. V3.0.6 fork on Hg.
                Zaiband 3.0.10 ETA Mar. 7 2011 (Yes, schedule slipped. Latest testing indicates not enough assert() calls to allow release.)
                Z.C++: pre-alpha C/C++ compiler system (usable preprocessor). Also on Hg. Z.C++ 0.0.10 ETA December 31 2011

                Comment

                • pav
                  Administrator
                  • Apr 2007
                  • 793

                  #9
                  Okay, this is impossible. I'm sorry I can't fix this issue.

                  My only hope is this is some odd proxy/cache issue on the client side. Because as the server code is laid out now, it's not possible to have the post posted without also receiving "Your message has been posted" text...

                  Also my guess is that the back button is not necessary; the post is posted when you hit submit first time.
                  See the elves and everything! http://angband.oook.cz

                  Comment

                  • zaimoni
                    Knight
                    • Apr 2007
                    • 590

                    #10
                    I've never seen the original post posted when actually filling out the login credentials. It should be easy enough to test safely, however.

                    The empty textarea for editing still comes up when doing that.
                    Zaiband: end the "I shouldn't have survived that" experience. V3.0.6 fork on Hg.
                    Zaiband 3.0.10 ETA Mar. 7 2011 (Yes, schedule slipped. Latest testing indicates not enough assert() calls to allow release.)
                    Z.C++: pre-alpha C/C++ compiler system (usable preprocessor). Also on Hg. Z.C++ 0.0.10 ETA December 31 2011

                    Comment

                    • zaimoni
                      Knight
                      • Apr 2007
                      • 590

                      #11
                      Originally posted by pav
                      Also my guess is that the back button is not necessary; the post is posted when you hit submit first time.
                      Just completed testing this; no. As expected, the back button is necessary to elicit the bug; logging in properly erases the original post.

                      target: RGRD, reply to "So whats new for next year?"
                      * login in using portal login at 9:15AM GMT. Compose.
                      * Since we're testing this, wait 45 minutes to let the portal login timeout. Submit. Unsurprisingly, get login screen circa 10AM GMT.
                      * Give 20 minutes or so for the putative post to show on RGRD: nothing. Go ahead and redo it in a timely fashion; get the correct "your message has been posted" Check back in 8 minutes. 10:30AM GMT: only one post, the first one has been completely lost.
                      Zaiband: end the "I shouldn't have survived that" experience. V3.0.6 fork on Hg.
                      Zaiband 3.0.10 ETA Mar. 7 2011 (Yes, schedule slipped. Latest testing indicates not enough assert() calls to allow release.)
                      Z.C++: pre-alpha C/C++ compiler system (usable preprocessor). Also on Hg. Z.C++ 0.0.10 ETA December 31 2011

                      Comment

                      • pav
                        Administrator
                        • Apr 2007
                        • 793

                        #12
                        Seeing is believing - let me try it for myself. One last question - are you logged into both forum and rgra when posting?
                        See the elves and everything! http://angband.oook.cz

                        Comment

                        • pav
                          Administrator
                          • Apr 2007
                          • 793

                          #13
                          Okay I just tried it, and on the back button, I got the editing field with my message and nothing was posted.
                          See the elves and everything! http://angband.oook.cz

                          Comment

                          • zaimoni
                            Knight
                            • Apr 2007
                            • 590

                            #14
                            Originally posted by pav
                            Seeing is believing - let me try it for myself. One last question - are you logged into both forum and rgra when posting?
                            No. I intentionally log out of the forum before logging into the RGRA portal.
                            Zaiband: end the "I shouldn't have survived that" experience. V3.0.6 fork on Hg.
                            Zaiband 3.0.10 ETA Mar. 7 2011 (Yes, schedule slipped. Latest testing indicates not enough assert() calls to allow release.)
                            Z.C++: pre-alpha C/C++ compiler system (usable preprocessor). Also on Hg. Z.C++ 0.0.10 ETA December 31 2011

                            Comment

                            Working...
                            😀
                            😂
                            🥰
                            😘
                            🤢
                            😎
                            😞
                            😡
                            👍
                            👎