Sent from my HTC ----- Reply message ----- From: phpmyadmin-devel-request@lists.sourceforge.net To: <phpmyadmin-devel@lists.sourceforge.net> Subject: Phpmyadmin-devel Digest, Vol 87, Issue 7 Date: Mon, Oct 7, 2013 4:45 PM Send Phpmyadmin-devel mailing list submissions to phpmyadmin-devel@lists.sourceforge.net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel or, via email, send a message with subject or body 'help' to phpmyadmin-devel-request@lists.sourceforge.net You can reach the person managing the list at phpmyadmin-devel-owner@lists.sourceforge.net When replying, please edit your Subject line so it is more specific than "Re: Contents of Phpmyadmin-devel digest..." Today's Topics: 1. Re: how to allow access to page without token (Michal ?iha?) 2. Re: how to allow access to page without token (Marc Delisle) 3. Re: phpMyAdmin 4.1.0-alpha1 is released (Marc Delisle) 4. Re: how to allow access to page without token (Mohamed Ashraf) 5. phpMyAdmin 4.1.0-alpha2 is released (Marc Delisle) 6. phpMyAdmin 4.0.8 is released (Marc Delisle) 7. phpMyAdmin joins Software Freedom Conservancy (Michal ?iha?) ---------------------------------------------------------------------- Message: 1 Date: Thu, 3 Oct 2013 15:43:47 +0200 From: Michal ?iha? <michal@cihar.com> Subject: Re: [Phpmyadmin-devel] how to allow access to page without token To: phpmyadmin-devel@lists.sourceforge.net Message-ID: <20131003154347.3867b599@rincewind.suse.cz> Content-Type: text/plain; charset="utf-8" Hi Dne Thu, 3 Oct 2013 15:34:16 +0200 Mohamed Ashraf <mohamed.ashraf.213@gmail.com> napsal(a):

yes normally it is but during logout the token is reset multiple times and is changed after the page is loaded somewhere so when the get_scripts.js.php is being fetched an old and invalid token is used thus the page is not displayed.

here is what happens: 1 - the logout page is requested, 2 - token is reset since the user is not logged in 3 - then the html is created to load the get_scripts file using this new token which is correct 4 - some time after this the token is reset again. I dont know where this happens. I output the token in the end of the response class response method and it is still the same. 5 - the request to the get_script file is made using the old token which is rejected

I don't see need to load anything from common.inc or do token protection on get_script, please comment: https://github.com/phpmyadmin/phpmyadmin/pull/729 -- Michal ?iha? | http://cihar.com | http://blog.cihar.com