User Controls

Hey Lan your antiCSRF middleware token crap is cramping my proxy posting style.

  1. #1
    Sophie Pedophile Tech Support
    So like. I switched proxies BUT THEN, disaster... I stayed logged in(Thanks cookies) but then i wanted to thank a post and it said teh request couldn't be completed. Well i didn't intercept the response but there is some wonkiness going on and i think it has to do with your antiCSRF tokens.
  2. #2
    Lanny Bird of Courage
    That's interesting. Is this reliably reproducible? Every time you switch proxies with a live session? What was the response code?

    The CSRF middleware operates on cookies as well so I wouldn't expect that if you kept your session, it might be possible I bounced the server between you loading the page and clicking thanks (I deploy code and SIGHUP uwsgi a couple times a day) so that might do it, but if you can see this consistently then it would be something different.
    The following users say it would be alright if the author of this post didn't die in a fire!
  3. #3
    Sophie Pedophile Tech Support
    Originally posted by Lanny That's interesting. Is this reliably reproducible? Every time you switch proxies with a live session? What was the response code?

    The CSRF middleware operates on cookies as well so I wouldn't expect that if you kept your session, it might be possible I bounced the server between you loading the page and clicking thanks (I deploy code and SIGHUP uwsgi a couple times a day) so that might do it, but if you can see this consistently then it would be something different.

    Lemme try.
  4. #4
    Sophie Pedophile Tech Support


    Why yes, it is reproducible. No status code, exception handling is on point.
  5. #5
    Sophie Pedophile Tech Support
    Oh wait look wut, when i reloaded the page the request got sent.
  6. #6
    Lanny Bird of Courage
    Is this a public proxy you're using?

    I grabbed one off of one of those free list things to test where they're all heavily over loaded so a couple of my requests just failed (disconnected before hitting the server at all) producing that alert but some requests went through and updated as expected.
  7. #7
    Sophie Pedophile Tech Support
    Originally posted by Lanny Is this a public proxy you're using?

    I grabbed one off of one of those free list things to test where they're all heavily over loaded so a couple of my requests just failed (disconnected before hitting the server at all) producing that alert but some requests went through and updated as expected.

    Semi public. The load is usually not an issue.
  8. #8
    Lanny Bird of Courage
    Could you send me the network log? Something like this:



    Fiddler or FF's network log would be fine too.
    The following users say it would be alright if the author of this post didn't die in a fire!
  9. #9
    Sophie Pedophile Tech Support
    Sure hold up.
  10. #10
    Sophie Pedophile Tech Support
    So apparently i am getting a 302 on the thanks button when my proxy tries to send the request.



    If this is just my proxy being ghey, why does it only do this on the thanks button.
    The following users say it would be alright if the author of this post didn't die in a fire!
  11. #11
    Lanny Bird of Courage
    That picture is small as dick yo.

    This is a fun one though. I'm like 90% sure it's your proxy fucking things up.

    So I wanted the site to work without javascript enabled (you can use noscript or there's an option on your profile page), but some things work better with ajax, thanks is a great example, it's a drag to reload the page every time you thank a post (you lose anything you have in quick reply, it takes longer, scroll position changes). So the thank buttons are forms that submit a thanks request and redirect you back to the post you thanked which is the best you can do without javascript.

    If the user has javascript enabled it submits the same form via AJAX. The catch is the responses need to be different in each case, a redirect if the request was made by browser action and a blob of markup wrapped in some JSON to rerender the thanks block in the XHR case. What you're seeing here is you have JS enabled but my server is responding with the redirect like you don't.

    The way the server tells an XHR request from a form submit is the X-Requested-With header, and indeed your browser is setting it, but my server isn't getting it. That leaves the proxy as the likely candidate, it might be misguidedly swapping that header out for something else to indicate it was that particular proxy that the request was made through (perhaps as a courtesy to web service providers that don't want their users using proxies or something).

    Any any case, I'm pretty sure it's the proxy's fault for tampering with the request but I probably shouldn't be leaning on that header to determine the type of the response, for this reason as well as semantics. Opened a GH ticket for it.
  12. #12
    Sophie Pedophile Tech Support
    Originally posted by Lanny That picture is small as dick yo.

    This is a fun one though. I'm like 90% sure it's your proxy fucking things up.

    So I wanted the site to work without javascript enabled (you can use noscript or there's an option on your profile page), but some things work better with ajax, thanks is a great example, it's a drag to reload the page every time you thank a post (you lose anything you have in quick reply, it takes longer, scroll position changes). So the thank buttons are forms that submit a thanks request and redirect you back to the post you thanked which is the best you can do without javascript.

    If the user has javascript enabled it submits the same form via AJAX. The catch is the responses need to be different in each case, a redirect if the request was made by browser action and a blob of markup wrapped in some JSON to rerender the thanks block in the XHR case. What you're seeing here is you have JS enabled but my server is responding with the redirect like you don't.

    The way the server tells an XHR request from a form submit is the X-Requested-With header, and indeed your browser is setting it, but my server isn't getting it. That leaves the proxy as the likely candidate, it might be misguidedly swapping that header out for something else to indicate it was that particular proxy that the request was made through (perhaps as a courtesy to web service providers that don't want their users using proxies or something).

    Any any case, I'm pretty sure it's the proxy's fault for tampering with the request but I probably shouldn't be leaning on that header to determine the type of the response, for this reason as well as semantics. Opened a GH ticket for it.

    Ahh, this thread has been educational. I feel more 31337. This was fun.
  13. #13
    SBTlauien African Astronaut
    Originally posted by Lanny That picture is small as dick yo.

    Your dick nigga.

    Originally posted by Lanny but some things work better with ajax, thanks is a great example, it's a drag to reload the page every time you thank a post (you lose anything you have in quick reply, it takes longer, scroll position changes).

    Why can you not send the quick reply data with the request and then place it back in the textbox on the response?
  14. #14
    Lanny Bird of Courage
    Originally posted by SBTlauien Your dick nigga.

    wanna find out bby ;)))

    Why can you not send the quick reply data with the request and then place it back in the textbox on the response?

    It would cost twice the post length in bandwidth would is annoying but it's not like I really need to penny pinch on bandwidth. The main issue is I would have to make the whole page one big form and serve both pieces of functionality (and quotes as well, actually) from the same url which doesn't really conform to the semantics of what a url is and devolves into a maintainability nightmare quickly.
  15. #15
    This thread was exorbitant fun....... AUTISMO LVL 100.
  16. #16
    Lanny Bird of Courage
    people knowing and doing things is indeed a sure sign of autism
  17. #17
    Originally posted by Lanny people knowing and doing things is indeed a sure sign of autism

    You had too much fun doing this. It's probably hard to tell when the Autism in your brain is firing out of all cylinders, though.

    Gombooders r iz so awson. Iz so fun do do this sighup uwsgi a copple temes a day.
  18. #18
    Lanny Bird of Courage
    You can also identify an autist by them enjoying things. Everyone knows mentally healthy people never like doing stuff.
  19. #19
    Originally posted by Lanny You can also identify an autist by them enjoying things. Everyone knows mentally healthy people never like doing stuff.

    Exactly. Now please excuse me as I have to go to bed. Feel free to explain your Autism furthermore in this thread.
  20. #20
    Sophie Pedophile Tech Support
    Originally posted by RisiR Exactly. Now please excuse me as I have to go to bed. Feel free to explain your Autism furthermore in this thread.

    Figuring stuff out is pretty fun though and this was an unusual problem with a counter-intuitive cause as far as i am concerned.
Jump to Top