Sorry about that! Rolled out some new security and missed one bit there. Solved.

Thank you for the report!

I'm finding something possibly related. Sometimes when I try to do a reply (never an original post, always a reply to someone) a little popup says "Sorry, your account security token was either not set or invalid. If this was a legitimate post attempt, please report the bug."
This has happened on both my desktop and laptop computer. If I reload the page it's OK.

Quoting: Purple Library GuyI'm finding something possibly related. Sometimes when I try to do a reply (never an original post, always a reply to someone) a little popup says "Sorry, your account security token was either not set or invalid. If this was a legitimate post attempt, please report the bug."
This has happened on both my desktop and laptop computer. If I reload the page it's OK.

Experienced the same thing the other day too.

How long were you on the page when it happens?

I assume this is about CSRF tokens? You shouldn't worry about having them last too long. You'll get most of the protection even if they last until the end of the session, and that's how they mostly seem to be used in the real world.

Quoting: tuubiI assume this is about CSRF tokens? You shouldn't worry about having them last too long. You'll get most of the protection even if they last until the end of the session, and that's how they mostly seem to be used in the real world.

Well it's concerning since it seems it's failing for a few people. Which is one of two things either it's not being set properly or people sat on the page for too long and it timed out. Hmmmm.

Quoting: Liam Dawe

Quoting: tuubiI assume this is about CSRF tokens? You shouldn't worry about having them last too long. You'll get most of the protection even if they last until the end of the session, and that's how they mostly seem to be used in the real world.

Well it's concerning since it seems it's failing for a few people. Which is one of two things either it's not being set properly or people sat on the page for too long and it timed out. Hmmmm.

Yeah that's what I was thinking. My suggestion was to avoid the latter problem by simply using a persistent token for each user session or at least giving the tokens a very generous lifetime. They're not access tokens so lifetime isn't critical.

Quoting: tuubiYeah that's what I was thinking. My suggestion was to avoid the latter problem by simply using a persistent token for each user session or at least giving the tokens a very generous lifetime. They're not access tokens so lifetime isn't critical.

Currently it's just set in the session, so it times out with the session. Any thoughts on the best way around that other than extending session times?

Quoting: Liam Dawe

Quoting: tuubiYeah that's what I was thinking. My suggestion was to avoid the latter problem by simply using a persistent token for each user session or at least giving the tokens a very generous lifetime. They're not access tokens so lifetime isn't critical.

Currently it's just set in the session, so it times out with the session. Any thoughts on the best way around that other than extending session times?

Ah. I don't really see a good way to get around this if the user takes long enough to type their reply that their session is already gone when they submit the form. I guess they might load a bunch of articles in tabs and only get around to actually reading them and commenting a few hours later. Maybe... add the token on demand when the user actually starts to comment/reply instead of when they load the articles or threads?

Quoting: Purple Library GuySorry, your account security token was either not set or invalid. If this was a legitimate post attempt, please report the bug.

This gave me an idea. It used the same error for two possible issues, so I've given them separate error messages. So now we can see if it's not being set somewhere or if it's a case of it timing out. That should give me a good point to start from when it happens again.