[#25634] - [4.0] behavior.keepalive??
- Closed
- 10 Apr 2020
- Medium
- Build: staging
- # 25634
Keep session alive, for example, while editing or creating an article.
So my question is - should this be set on all pages with a form?
If not then what type of form should it be set on?
If you look through the codebase there is no consistency on this. I am happy to spend the time to make it consistent and logical - I just need to understand the when and where
joomla-cms-bot
- | Labels |
Added:
?
|
||
franz-wohlkoenig
- | Labels |
Added:
J4 Issue
|
||
Thanks - I can work with that. I assume therefore that any form with keepalive must have the csrf check as well.
It's not an implicit thing. All keepalive does is keep the session alive. However yeah basically all our forms should have a csrf check to try and stop request forgeries as a rule of thumb (can't think of any exceptions in core)
| Status | New | ⇒ | Discussion |
| Status | Discussion | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-12-13 19:19:14 |
| Closed_By | ⇒ | brianteeman |
| Status | Closed | ⇒ | New |
| Closed_Date | 2019-12-13 19:19:14 | ⇒ | |
| Closed_By | brianteeman | ⇒ |
re-opening so it can be checked further after todays release
So to confirm
every time we have a <form action we should also have a form.token
Because we dont
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-04-10 23:37:36 |
| Closed_By | ⇒ | brianteeman |
I'd go with a guideline of if a form gets submitted through POST then it should in most cases have keepalive since that form should have a CSRF check behind it (forms like a create item form, edit form, login form, contact form, etc.), and if it gets submitted through GET it doesn't need a keepalive behavior because these types of forms should essentially be nothing more than query filters for a page. I say this also realizing the backend views are in kind of a FUBAR state because the search filters trigger a POST form submission, and it looks like the frontend com_content.archive view has the same "issue" which means Joomla isn't always using the appropriate HTTP action to do things sadly.