POST request fails if user not authenticated

Bug #2115 reported by Paul Sladen on 2005-09-07
Affects Status Importance Assigned to Milestone
Launchpad itself

Bug Description

A page submit using a POST request fails with the message:

  Application error. Unauthenticated user POSTing to page that requires authentication.

if the user is not logged in. This can happen when somebody has been editing a page/form and Launchpad's session database has been purged in the mean-time. This leads to data loss, particularly if the /previous/ page was call generated by a POST and marked uncachable (meaning it's not even possible to go backwards and copy+paste the data elsewhere).

In the above situation, the user should be directed to login to Launchpad and then save the data after this has happened.

Paul Sladen (sladen) wrote :

I've just lost a large post to 2117, because of the above bug! (Pressing back caused the page to be reloaded because of the [sodding] uncachability---and hence lose the post that wasn't able to be submitted).

This is a bug that I've experienced *enough times* in my first 24 hours of trying to use Malone that I'm wondering if I can really be bothered to waste time writing details if there is a 33% of losing them.

Yes, this is 10x more annoying that not being able to post a bug-report in the first place.

Christian Reis (kiko) wrote :

It's interesting that I never encountered an uncacheability problem with a Malone bug page, though. I suspect this bug is a dupe, but I need to find it.

Paul Sladen (sladen) wrote :

Of the two parts, it's very easy to verify the first part. By going to:

and then deleting the authenication cookie in your web-browser. Submitting the page now results in the message about an Unauthenicated User.

For part two, the other possibility is that the text is/was disappearing behind the ''Add a comment to this bug'' drop down. Some javascript would probably solve this by expanding the drop-down if the contents are found to be != "".

Brad Bollenbach (bradb) on 2005-11-03
Changed in malone:
assignee: nobody → bradb
status: New → Accepted
Changed in malone:
assignee: bradb → stevea
Stuart Bishop (stub) wrote :

Authentication is now (very) persistant, so this bug should rarely bite people now.

I think this is pretty much fixed now I think :)

Matthew Paul Thomas (mpt) wrote :

Not as important now, because it occurs only if you clear your cookies. But it's still a problem that (for example) Bugzilla has solved.

Changed in launchpad:
importance: Medium → Low
Changed in launchpad:
assignee: stevea → nobody

<m-c> Getting an "Application error." when trying to reset user password, on Launchpad.
<andrea-bs> m-c: do you get an OOPS?
<m-c> andrea-bs: The complete error is, "Application error. Unauthenticated user POSTing to page that requires authentication."
<m-c> This is immediately after completing the "Reset password" form.
<andrea-bs> m-c: this seems a browser problem, not a launchpad issue
<andrea-bs> m-c: which web browser are you using?
<m-c> Are there third-party cookies that I need to allow? I am using Firefox 3 (default with Ubuntu 8.04.1).
<andrea-bs> m-c: I've tried to reset my password wit FF3 and I get no error, can you tell me which is the exact page where you get the error, please?
<m-c> Let me try it again. The page I was repeatedly getting errors, previously was: " "
<andrea-bs> m-c: this seems bug #2115, can you confirm this?
<ubottu> Launchpad bug 2115 in launchpad "POST request fails if user not authenticated (eg. launchpad restarted)" [Low,Confirmed]
<m-c> Just tried it again, with the same results. Going to look at the bug now.
<andrea-bs> m-c: what happens deleting your cookies?
<m-c> I am not real eager to delete all my cookies...
<m-c> But for the sake of Launchpad, I will give it a try!
<andrea-bs> m-c: you can delete just the cookies if you prefer
<m-c> After removing all cookies, I was able to login, thank you very much!

Leonard Richardson (leonardr) wrote :

I ran into this error while working on the launchpadlib trusted client. I'm sniffing this string to provide a good user experience. My code would be more robust if this error was accompanied by a 401 response code ("Unauthorized") instead of 500 ("Internal Server Error").

Robert Collins (lifeless) wrote :

I've tweaked the description because it was inaccurate (we restart LP very often - the session database is persistent). That said, while I can imagine possible improvements here, dealing with anonymous POST is really very tricky, and I think we're better off not doing that on the server side: better for client browsers to let users retry (which they do) - and the user to just log in in another tab and hit the retry button on their browser.

summary: - POST request fails if user not authenticated (eg. launchpad restarted)
+ POST request fails if user not authenticated
description: updated
Robert Collins (lifeless) wrote :

If we OOPS when this happens, we can and should fix that.

Changed in launchpad:
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Related blueprints