From e1d2ecef1067c5117634b36d6e257fa8abbd6bad Mon Sep 17 00:00:00 2001 From: Andrew Huling Date: Wed, 13 May 2015 11:26:07 -0400 Subject: [PATCH 1/2] In the case of an expired nonce, return a 400 status code instead of a 500. 500 status codes are for unexpected server-side error scenarios. When an expired nonce is used by the client, a 4XX-level error is more appropriate because the client has submitted a bad request (by using an expired nonce). A 500 also causes Internet Explorer to show its default 500 page which does not show the error message and leads to a bad end user experience. I am choosing 400 for the new status rather than 401 or 403 because 401 requires a WWW-Authenticate header which would be difficult to generate in an SSO scenario and a 403 implies that no re-authentication will address the failure. --- app/controllers/session_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb index 00dbbe1d74b..7588125bbaa 100644 --- a/app/controllers/session_controller.rb +++ b/app/controllers/session_controller.rb @@ -57,7 +57,7 @@ class SessionController < ApplicationController sso = DiscourseSingleSignOn.parse(request.query_string) if !sso.nonce_valid? - return render(text: I18n.t("sso.timeout_expired"), status: 500) + return render(text: I18n.t("sso.timeout_expired"), status: 400) end if ScreenedIpAddress.should_block?(request.remote_ip) From e44ddff9bb2717291dd80693ec7821cf8006a48b Mon Sep 17 00:00:00 2001 From: Andrew Huling Date: Tue, 19 May 2015 13:13:14 -0400 Subject: [PATCH 2/2] Change the expired nonce return status code from 400 to 419. --- app/controllers/session_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb index 7588125bbaa..6fafe561509 100644 --- a/app/controllers/session_controller.rb +++ b/app/controllers/session_controller.rb @@ -57,7 +57,7 @@ class SessionController < ApplicationController sso = DiscourseSingleSignOn.parse(request.query_string) if !sso.nonce_valid? - return render(text: I18n.t("sso.timeout_expired"), status: 400) + return render(text: I18n.t("sso.timeout_expired"), status: 419) end if ScreenedIpAddress.should_block?(request.remote_ip)