error message while adding members
Hello experts,
I am unable to add or subscribe any member using mass subscription option under membership management of my mailing list. I am facing the below error since yesterday:
Error: The form lifetime has expired. (request forgery check)
Please suggest me the remedy for it.
Thanks,
Amit Bhatt
Amit Bhatt wrote:
I am unable to add or subscribe any member using mass subscription option under membership management of my mailing list. I am facing the below error since yesterday:
Error: The form lifetime has expired. (request forgery check)
This message comes from the new in 2.1.15 CSRF mitigation features.
When did you upgrade to 2.1.15?
Have you set a value for FORM_LIFETIME in mm_cfg.py? If so, what? (The default setting in Defaults.py is 1 hour.)
What the message is telling you is that the mass subscribe form you are submitting was retrieved from the host longer than FORM_LIFETIME before it was submitted. If this is not the case, there is some issue in your web server. Perhaps the FAQ at http://wiki.list.org/x/ioA9 is applicable.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
yes, surprisingly, the mailing list has been updated in to new version 1.1.15 without any effort made by me. I am surprised because I have never tried to update the list, is it possible that the updation is done from our web server end?
I have noticed this change after seeing your reply.
Regards,
Amit Bhatt ----- Original Message ----- From: "Mark Sapiro" mark@msapiro.net To: "Amit Bhatt" misterbhatt@gmail.com; Mailman-Users@python.org Sent: Saturday, November 03, 2012 8:22 PM Subject: Re: [Mailman-Users] error message while adding members
Amit Bhatt wrote:
I am unable to add or subscribe any member using mass subscription option under membership management of my mailing list. I am facing the below error since yesterday:
Error: The form lifetime has expired. (request forgery check)
This message comes from the new in 2.1.15 CSRF mitigation features.
When did you upgrade to 2.1.15?
Have you set a value for FORM_LIFETIME in mm_cfg.py? If so, what? (The default setting in Defaults.py is 1 hour.)
What the message is telling you is that the mass subscribe form you are submitting was retrieved from the host longer than FORM_LIFETIME before it was submitted. If this is not the case, there is some issue in your web server. Perhaps the FAQ at http://wiki.list.org/x/ioA9 is applicable.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Sat, 2012-11-03 at 07:52 -0700, Mark Sapiro wrote:
What the message is telling you is that the mass subscribe form you are submitting was retrieved from the host longer than FORM_LIFETIME before it was submitted. If this is not the case, there is some issue in your web server. Perhaps the FAQ at http://wiki.list.org/x/ioA9 is applicable.
Could this be caused by a web proxy that's improperly caching the form page and serving it to the client in spite of the fact that csrf_token has changed? Or improperly indicating to the client that the page hasn't changed so that the client displays from its its own cache instead of requesting it again from the server?
Amit, I think a good test here would be to clear your browser's cache, reload the subscription form, and see if you get the same error. The experts may have a better suggestion, but this is what I'd try.
--
Lindsay Haisley | "In an open world, who needs
FMP Computer Services | Windows or Gates"
512-259-1190 |
http://www.fmp.com |
Dear Lindsay,
Thanks for your excellent suggestion, it has worked for me!
Now the subscription is being done smoothly.
Regards,
Amit Bhatt ----- Original Message ----- From: "Lindsay Haisley" fmouse-mailman@fmp.com To: mailman-users@python.org Sent: Saturday, November 03, 2012 10:36 PM Subject: Re: [Mailman-Users] error message while adding members
On Sat, 2012-11-03 at 07:52 -0700, Mark Sapiro wrote:
What the message is telling you is that the mass subscribe form you are submitting was retrieved from the host longer than FORM_LIFETIME before it was submitted. If this is not the case, there is some issue in your web server. Perhaps the FAQ at http://wiki.list.org/x/ioA9 is applicable.
Could this be caused by a web proxy that's improperly caching the form page and serving it to the client in spite of the fact that csrf_token has changed? Or improperly indicating to the client that the page hasn't changed so that the client displays from its its own cache instead of requesting it again from the server?
Amit, I think a good test here would be to clear your browser's cache, reload the subscription form, and see if you get the same error. The experts may have a better suggestion, but this is what I'd try.
-- Lindsay Haisley | "In an open world, who needs FMP Computer Services | Windows or Gates" 512-259-1190 | http://www.fmp.com |
Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/misterbhatt%40gmail.com
On Sat, 2012-11-03 at 23:19 +0530, Amit Bhatt wrote:
Dear Lindsay,
Thanks for your excellent suggestion, it has worked for me!
Now the subscription is being done smoothly.
This addresses the symptom, but not the underlying problem, which may recur. HTTP caching can be fairly complex, and your local browser cache is simply the last link in the chain. Clearing your browser's cache each time before loading this form will avoid the problem, but not solve it, and it shouldn't be necessary.
Deleting your browser cache forces a refresh from the server, or proxy server, but the underlying problem is that your browser _thinks_ that it has the most recent version of the form page in its cache, so it displays it. Mailman's CGI mechanism that issues the form page should always inform the user agent, or proxy server, that the page is new, so that any agent in the chain, proxy server or browser, will discard a cached version and reload it. So what's broken here is the exchange of this information. I suppose this _could_ be a browser problem, but IMHO it's more likely to be a problem further back toward the server, or on the server itself.
Every mass subscription page form has a token, labeled "csrf_token", the value of which is a string of letters and numbers, and is different each time the page is generated by the CGI script. This token is sent back to Mailman when you submit the form. This token is interpreted by Mailman, which uses it to determine how long ago the page was generated, and to refuse it if the page is older than FORM_LIFETIME, set in Defaults.py or mm_cfg.py. So because this token changes with every service of this form, the page is always "new" and every element of the connection between the CGI script and your browser should be told that this is the case.
A couple of questions might help to understand this:
Are you using a HTTP proxy server? This information would have been intentionally set in your browser's configuration. If so, do you know anything about this proxy server?
What kind and version of browser are you using?
On what kind of system is Mailman running and what kind (Apache, MSIIS, etc.) and version is the web server?
Regards,
Amit Bhatt ----- Original Message ----- From: "Lindsay Haisley" fmouse-mailman@fmp.com To: mailman-users@python.org Sent: Saturday, November 03, 2012 10:36 PM Subject: Re: [Mailman-Users] error message while adding members
On Sat, 2012-11-03 at 07:52 -0700, Mark Sapiro wrote:
What the message is telling you is that the mass subscribe form you are submitting was retrieved from the host longer than FORM_LIFETIME before it was submitted. If this is not the case, there is some issue in your web server. Perhaps the FAQ at http://wiki.list.org/x/ioA9 is applicable.
Could this be caused by a web proxy that's improperly caching the form page and serving it to the client in spite of the fact that csrf_token has changed? Or improperly indicating to the client that the page hasn't changed so that the client displays from its its own cache instead of requesting it again from the server?
Amit, I think a good test here would be to clear your browser's cache, reload the subscription form, and see if you get the same error. The experts may have a better suggestion, but this is what I'd try.
-- Lindsay Haisley | "In an open world, who needs FMP Computer Services | Windows or Gates" 512-259-1190 | http://www.fmp.com |
Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/misterbhatt%40gmail.com
participants (3)
-
Amit Bhatt -
Lindsay Haisley -
Mark Sapiro