[Ur] Redirecting to the same page with a form, getting "wrong cookie signature"

Sun Jul 28 18:30:05 EDT 2013

Hmm.. Well it is definitely related, because if I comment out the
message-setting code, it works.

There isn't really any way to move it earlier without losing the
semantics - the handler body is:

check logged in
dml (UPDATE ...)
set message saying it was updated
if r.Continue
  then redirect (url (edit_entry ...))
  else redirect (url ...)

And if I comment out the third line there, everything works.

But I don't see why this should be generating a form without the right
cookie signature - because the cookie should be set in the response that
redirects, and so when the edit_entry handler is run (that generates the
form), it should have been handed the cookie. Or does `redirect` not do
a normal HTTP redirect? Because if it does, the form generation and
cookie setting should not even be in the same request.

Adam Chlipala <adamc at csail.mit.edu> writes:
> It's possible your issue is because of an Ur/Web compiler bug, but let 
> me explain this cookie signature checking, in case it seems clear that 
> your approach isn't compatible with it.
>
> Cross-site request forgery (CSRF) attacks involve tricking users into 
> following links to other sites, such that processing said links remotely 
> causes side effects that the user wouldn't want.  This is really only a 
> threat when the client sends some data automatically, such as a log-in 
> cookie.  Ur/Web protects against these attacks by requiring 
> cryptographic signatures of all cookie values for any pages that might 
> both read cookies and cause persistent side effects.
>
> It sounds like you're somehow generating a form that winds up storing a 
> cookie signature that is out of date.  Perhaps if you move a cookie set 
> operation earlier, before the form is generated?
>
> On 07/28/2013 03:56 PM, Daniel Patterson wrote:
>> Yeah, it does - it sets a message in a cookie to be displayed on the
>> next page load (across the redirect). What happens when it posts is:
>>
>> update database
>> set message in cookie
>> redirect to next page to be shown
>>
>> Is this not permitted? Or what part of it could be going wrong?
>>
>> Adam Chlipala<adamc at csail.mit.edu>  writes:
>>    
>>> Do you expect the application to be changing a cookie value in between
>>> the different steps in this scenario?  That's what the error message has
>>> to do with, probably.
>>>
>>> On 07/28/2013 03:33 PM, Daniel Patterson wrote:
>>>      
>>>> I have a form that is used for editing an entry. I want to be able to
>>>> both save the entry and continue editing and also save and return to the
>>>> index. Since multiple submit buttons aren't supported (how I would
>>>> normally implement this pattern), the solution I came up with was having
>>>> a checkbox for whether to continue editing, and then just redirect back
>>>> to the editing page.
>>>>
>>>> This works the first time - the entry is saved, and the edit entry page
>>>> loads again, but when I try to submit on this reloaded page, I get a
>>>> "Fatal error: Wrong cookie signature" error. The code that produces this
>>>> is at:
>>>>
>>>> form:   https://github.com/dbp/latinamerica/blob/master/la.ur#L236
>>>> submit: https://github.com/dbp/latinamerica/blob/master/la.ur#L309
>>>>
>>>> I know it isn't as simple as I describe, because I created a minimal
>>>> example of that and it works just fine. That example is here:
>>>>
>>>> https://gist.github.com/dbp/6099783
>>>>
>>>> But, I'm not sure what could be causing that error, so I'm not sure how
>>>> else to approach minimizing it.
>>>>
>>>> Any advice for either potential causes (to aid minimizing) or a reason /
>>>> fix for it would be great!
>>>>        