"Bad Request" when posting

titleist1 · By: **titleist1** On: Thu Jul 05, 2012 7:13 pm

Richard, Your link also directed me to the homepage with no error.

Richard S. · By: **Richard S.** On: Thu Jul 05, 2012 7:23 pm

Well that is not the answer I expected. I'll look into tomorrow.

lsayre · By: **lsayre** On: Thu Jul 05, 2012 7:35 pm

Out of all of the posts and revisions to posts I've made today, I only saw the error message pop up once.

Richard S. · By: **Richard S.** On: Thu Jul 05, 2012 7:42 pm

lsayre wrote:Out of all of the posts and revisions to posts I've made today, I only saw the error message pop up once.

Well there shouldn't be any sever errors . What was the error.

lsayre · By: **lsayre** On: Thu Jul 05, 2012 7:44 pm

I knew I should have written it down. Something about an "incorrect form" perhaps. But when I pressed "submit" a second time it went through.

Richard S. · By: **Richard S.** On: Thu Jul 05, 2012 8:11 pm

lsayre wrote:I knew I should have written it down. Something about an "incorrect form" perhaps. But when I pressed "submit" a second time it went through.

That's not a server error, that's a security feature on purpose. Any page that can accept input information is issued with a unique "token" which is only valid for half an hour, you'll need resubmit the form once the token has expired.

-------edit------

Here's an example from Wikipedia:

Cross-site request forgery

The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have been authenticated.[1] For example, one user, Bob, might be browsing a chat forum where another user, Fred, has posted a message. Suppose that Fred has crafted an HTML image element that references an action on Bob's bank's website (rather than an image file), e.g.,

<img src="http://bank.example.com/withdraw?account=bob&amount=1000000&for=Fred">

If Bob's bank keeps his authentication information in a cookie, and if the cookie hasn't expired, then the attempt by Bob's browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without Bob's approval.

A cross-site request forgery is a confused deputy attack against a Web browser. The deputy in the bank example is Bob's Web browser which is confused into misusing Bob's authority at Fred's direction.

I think I might be able to explain this a little better, suppose you're logged in here. You go to a page on another site that has an image in the HTML code, you won't ever see this as an image because it isn't:

Code: Select all: <img src="http://nepacrossroads.com/posting.php?messgae=the mayor is an idiot">

Like I said you won't see this image because it isn't an image but your browser is still going to try and load this page and post your message "the mayor is an idiot".

The token prevents that from happening because it's like a gazillion to one shot they would guess the right token and they only have half an hour to do it anyway.

"Bad Request" when posting

Re: "Bad Request" when posting

Re: "Bad Request" when posting

Re: "Bad Request" when posting

Re: "Bad Request" when posting

Re: "Bad Request" when posting

Re: "Bad Request" when posting