Re: [Phpmyadmin-devel] Phpmyadmin-devel Digest, Vol 87, Issue 7 - Developers

10 Oct 2013


      Sent from my HTC
----- Reply message -----
From: phpmyadmin-devel-request@lists.sourceforge.net
To: phpmyadmin-devel@lists.sourceforge.net
Subject: Phpmyadmin-devel Digest, Vol 87, Issue 7
Date: Mon, Oct 7, 2013 4:45 PM
Send Phpmyadmin-devel mailing list submissions to
        phpmyadmin-devel@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
or, via email, send a message with subject or body 'help' to
        phpmyadmin-devel-request@lists.sourceforge.net
You can reach the person managing the list at
        phpmyadmin-devel-owner@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Phpmyadmin-devel digest..."
Today's Topics:
1. Re: how to allow access to page without token (Michal ?iha?)
   2. Re: how to allow access to page without token (Marc Delisle)
   3. Re: phpMyAdmin 4.1.0-alpha1 is released (Marc Delisle)
   4. Re: how to allow access to page without token (Mohamed Ashraf)
   5. phpMyAdmin 4.1.0-alpha2 is released (Marc Delisle)
   6. phpMyAdmin 4.0.8 is released (Marc Delisle)
   7. phpMyAdmin joins Software Freedom Conservancy (Michal ?iha?)
----------------------------------------------------------------------
Message: 1
Date: Thu, 3 Oct 2013 15:43:47 +0200
From: Michal ?iha? michal@cihar.com
Subject: Re: [Phpmyadmin-devel] how to allow access to page without
        token
To: phpmyadmin-devel@lists.sourceforge.net
Message-ID: 20131003154347.3867b599@rincewind.suse.cz
Content-Type: text/plain; charset="utf-8"
Hi
Dne Thu, 3 Oct 2013 15:34:16 +0200
Mohamed Ashraf mohamed.ashraf.213@gmail.com napsal(a):
...
yes normally it is but during logout the token is reset multiple times and
is changed after the page is loaded somewhere so when the
get_scripts.js.php is being fetched an old and invalid token is used thus
the page is not displayed.
here is what happens:
1 - the logout page is requested,
2 - token is reset since the user is not logged in
3 - then the html is created to load the get_scripts file using this new
token which is correct
4 - some time after this the token is reset again. I dont know where this
happens. I output the token in the end of the response class response
method and it is still the same.
5 - the request to the get_script file is made using the old token which is
rejected
I don't see need to load anything from common.inc or do token protection
on get_script, please comment:
https://github.com/phpmyadmin/phpmyadmin/pull/729
--
        Michal ?iha? | http://cihar.com | http://blog.cihar.com