Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve how SecurityErrors are handled #12

Closed
2 tasks done
jonasmalacofilho opened this issue Jan 7, 2018 · 3 comments
Closed
2 tasks done

Improve how SecurityErrors are handled #12

jonasmalacofilho opened this issue Jan 7, 2018 · 3 comments

Comments

@jonasmalacofilho
Copy link
Member

jonasmalacofilho commented Jan 7, 2018
edited
Loading

A SecurityError is raised if a POST /novo/dados, POST /novo/confirma or GET /novo/status/ was attempted with missing/incorrect/invalid state card request id in the corresponding parameter or cookie.

While there is a reasonable reason this might happen (e.g. as the result of an unlikely race between different requests of the same user), we're seeing this too much (at least once a day) on the logs.

Maybe there's a bug and we're blocking users without reason?

We should start by including in the next merge window:

  • more context for the errors (parameter/cookie value, card request id and state) (deployed in v1.1.1)
  • stop trashing the module after these errors; in particular, if the error isn't a false positive (it's actually a security issue) we don't want to degrade the server capacity (deployed in v1.1.4)
@jonasmalacofilho jonasmalacofilho changed the title Improve how SecurityErrors (invalid card request id on late POST) are handled Improve how SecurityErrors are handled Jan 7, 2018
@jonasmalacofilho
Copy link
Member Author 

Jan 03 11:25:16 BelCard env[58202]: [01c5] ERROR after 1 ms: card request not found or in wrong state  @Server:abort  (Server.hx:173)
Jan 04 08:58:12 BelCard env[1319]: [dff6] ERROR after 1 ms: card request not found or in wrong state  @Server:abort  (Server.hx:175)
Jan 04 09:02:20 BelCard env[1319]: [3507] ERROR after 1 ms: card request not found or in wrong state  @Server:abort  (Server.hx:175)
Jan 04 09:12:34 BelCard env[1319]: [ad38] ERROR after 1 ms: card request not found or in wrong state  @Server:abort  (Server.hx:175)
Jan 04 14:14:01 BelCard env[1319]: [56b1] ERROR after 1 ms: card request not found or in wrong state  @Server:abort  (Server.hx:175)
Jan 04 14:14:22 BelCard env[1319]: [2bb7] ERROR after 1 ms: card request not found or in wrong state  @Server:abort  (Server.hx:175)
Jan 04 18:35:36 BelCard env[1319]: [8f5e] ERROR after 1 ms: card request not found or in wrong state  @Server:abort  (Server.hx:175)
Jan 04 19:40:58 BelCard env[1319]: [edf1] ERROR after 1 ms: card request not found or in wrong state  @Server:abort  (Server.hx:175)
Jan 04 19:41:12 BelCard env[1319]: [7fd1] ERROR after 1 ms: card request not found or in wrong state  @Server:abort  (Server.hx:175)
Jan 04 19:41:40 BelCard env[1319]: [72e1] ERROR after 1 ms: card request not found or in wrong state  @Server:abort  (Server.hx:175)
Jan 05 11:20:12 BelCard env[81201]: [6f86] ERROR after 1 ms: card request not found or in wrong state  @Server:abort  (Server.hx:175)
Jan 05 19:46:34 BelCard env[81201]: [3ec4] ERROR after 1 ms: card request not found or in wrong state  @Server:abort  (Server.hx:175)
Jan 05 19:51:28 BelCard env[81201]: [0c8a] ERROR after 1 ms: card request not found or in wrong state  @Server:abort  (Server.hx:175)
Jan 05 21:31:30 BelCard env[81201]: [13d6] ERROR after 1 ms: card request not found or in wrong state  @Server:abort  (Server.hx:175)
Jan 06 17:34:36 BelCard env[81201]: [9fb3] ERROR after 1 ms: card request not found or in wrong state  @Server:abort  (Server.hx:175)
Jan 06 19:12:32 BelCard env[81201]: [0b37] ERROR after 1 ms: card request not found or in wrong state  @Server:abort  (Server.hx:175)
Jan 06 21:08:04 BelCard env[81201]: [d5bb] ERROR after 1 ms: card request not found or in wrong state  @Server:abort  (Server.hx:175)
Jan 07 07:44:39 BelCard env[102138]: [2667] ERROR after 1 ms: card request not found or in wrong state  @Server:abort  (Server.hx:211)
Jan 07 07:45:13 BelCard env[102138]: [4e9e] ERROR after 1 ms: card request not found or in wrong state  @Server:abort  (Server.hx:211)

jonasmalacofilho added a commit that referenced this issue Jan 9, 2018
@jonasmalacofilho
Trace some data for missing cookie or invalid request state (see #12)
48a9ae9
@jonasmalacofilho
Copy link
Member Author

Apparently this is caused by users going back to the form when they needed to start a new request (e.g. after the request has failed).

jonasmalacofilho added a commit that referenced this issue Jan 12, 2018
@jonasmalacofilho
Improve handling of card request not found/wrong state errors (see #12)
635548a
@jonasmalacofilho
Copy link
Member Author

Closed with v1.1.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jonasmalacofilho