Hello,
I'm working on an application that allows users to upload large or lots of files, either way it may take a lot of time. I have an upload form that uses SWFUpload for file transfer and after it finishes the form is submitted. This results in submissions happening a considerable amount of time after the form is generated.
I'm also using the Security component for CSRF protection and some of my users are encountering the "request blackholed" error (which is annoying when it happens after e.g. 40 minutes of uploading files).
This is my configuration:
- Session
- defaults => php
- timeout => 120
- cookieTimeout => 0
- Security
- csrfExpires => +6 hour
- csrfUseOnce => false
I would expect that with these settings no user should get the "request blackholed" error if their upload takes less than 2 hours.
Based on the data in my DB I can infer that the users get the error within one hour so clearly something is not right.
Am I missing some more settings that could influence this?
Also, I have disabled the csrfUseOnce to fix problems with page reloading, going back etc.
But doesn't it mean that if a user is interacting with the page for 6 hours then the form generated before the 6-hour mark and submitted after that mark will be blackholed? Maybe this is what has happened?
What would you recommend to make this robust? I could work around the session timeout by making keep-alive requests to the server (to some extent this is already happening as the session is updated with each uploaded file). Maybe I should make my own CSRF protection that can also use such an approach to token expiration?
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment