[Ur] Redirecting to the same page with a form, getting "wrong cookie signature"

Adam Chlipala adamc at csail.mit.edu
Sun Jul 28 16:10:23 EDT 2013


It's possible your issue is because of an Ur/Web compiler bug, but let 
me explain this cookie signature checking, in case it seems clear that 
your approach isn't compatible with it.

Cross-site request forgery (CSRF) attacks involve tricking users into 
following links to other sites, such that processing said links remotely 
causes side effects that the user wouldn't want.  This is really only a 
threat when the client sends some data automatically, such as a log-in 
cookie.  Ur/Web protects against these attacks by requiring 
cryptographic signatures of all cookie values for any pages that might 
both read cookies and cause persistent side effects.

It sounds like you're somehow generating a form that winds up storing a 
cookie signature that is out of date.  Perhaps if you move a cookie set 
operation earlier, before the form is generated?

On 07/28/2013 03:56 PM, Daniel Patterson wrote:
> Yeah, it does - it sets a message in a cookie to be displayed on the
> next page load (across the redirect). What happens when it posts is:
>
> update database
> set message in cookie
> redirect to next page to be shown
>
> Is this not permitted? Or what part of it could be going wrong?
>
> Adam Chlipala<adamc at csail.mit.edu>  writes:
>    
>> Do you expect the application to be changing a cookie value in between
>> the different steps in this scenario?  That's what the error message has
>> to do with, probably.
>>
>> On 07/28/2013 03:33 PM, Daniel Patterson wrote:
>>      
>>> I have a form that is used for editing an entry. I want to be able to
>>> both save the entry and continue editing and also save and return to the
>>> index. Since multiple submit buttons aren't supported (how I would
>>> normally implement this pattern), the solution I came up with was having
>>> a checkbox for whether to continue editing, and then just redirect back
>>> to the editing page.
>>>
>>> This works the first time - the entry is saved, and the edit entry page
>>> loads again, but when I try to submit on this reloaded page, I get a
>>> "Fatal error: Wrong cookie signature" error. The code that produces this
>>> is at:
>>>
>>> form:   https://github.com/dbp/latinamerica/blob/master/la.ur#L236
>>> submit: https://github.com/dbp/latinamerica/blob/master/la.ur#L309
>>>
>>> I know it isn't as simple as I describe, because I created a minimal
>>> example of that and it works just fine. That example is here:
>>>
>>> https://gist.github.com/dbp/6099783
>>>
>>> But, I'm not sure what could be causing that error, so I'm not sure how
>>> else to approach minimizing it.
>>>
>>> Any advice for either potential causes (to aid minimizing) or a reason /
>>> fix for it would be great!
>>>        



More information about the Ur mailing list