Hi
Dne Thu, 3 Oct 2013 15:34:16 +0200 Mohamed Ashraf mohamed.ashraf.213@gmail.com napsal(a):
yes normally it is but during logout the token is reset multiple times and is changed after the page is loaded somewhere so when the get_scripts.js.php is being fetched an old and invalid token is used thus the page is not displayed.
here is what happens: 1 - the logout page is requested, 2 - token is reset since the user is not logged in 3 - then the html is created to load the get_scripts file using this new token which is correct 4 - some time after this the token is reset again. I dont know where this happens. I output the token in the end of the response class response method and it is still the same. 5 - the request to the get_script file is made using the old token which is rejected
I don't see need to load anything from common.inc or do token protection on get_script, please comment:
https://github.com/phpmyadmin/phpmyadmin/pull/729