Results 1 to 10 of 10

Thread: If you are getting an expired token error when responding to a thread

  1. #1
    Join Date
    Nov 2014
    Location
    Seattle, WA
    Posts
    3,918

    Default If you are getting an expired token error when responding to a thread

    On another thread a question was raised about the forum timing out while you are writing a post. If that happens the site returns an error when you submit the post and you may lose what you have written. In my experience this problem is due to a security feature within vBulletin (the forum software) that uses an expiring token to prevent certain types of attacks on the bulletin board servers.

    I don't know the length of time for which the token is valid (maybe Scot will weigh in here) but it seems to be fairly long to me. At least 30 minutes and possibly longer. The timeout period should resart every time the page is refreshed but if you leave a page open in the browser for some length of time and then come back to it and attempt to post you may run into the problem. Also it may happen if you spend a long time composing your post, with many edits and deletions and attempts to word the perfect cutting response to some lunatic... Oops, I mean trying to create the most helpful reply to a fellow forumite in need.

    Some things I do to avoid the problem are:

    1. Always refresh the page to get a new token before creating a post

    2. Always copy the post entry so it can be recovered if the post does not submit (the site *should* auto-save your content and you can get it back using the recover option but I have found that's not always reliable)

    3. Alternately for very long posts, edit in a separate document and copy/paste into the forum editor to submit.

    I will note that I have not noticed that the issue is more of a problem with a poor internet connection however it's possible that a poor cell connection could trigger issues in some way, for example if switching to a different cell tower or cell network causes the IP address of the posting device to change. I don't know if vBulletin checks IP for a given token across server requests but it would be a reasonable security check so it might.
    - Chris

    Life is short. Go boating now!

  2. #2
    Join Date
    Apr 2005
    Location
    Hills of Vermont, USA
    Posts
    30,262

    Default Re: If you are getting an expired token error when responding to a thread

    Good thoughts Chris!
    "If it ain't broke, you're not trying." - Red Green

  3. #3
    Join Date
    Oct 2018
    Location
    lagunitas, ca, usa
    Posts
    632

    Default Re: If you are getting an expired token error when responding to a thread

    Quote Originally Posted by cstevens View Post
    I don't know the length of time for which the token is valid (maybe Scot will weigh in here) but it seems to be fairly long to me. At least 30 minutes and possibly longer.
    It takes approximately fifteen seconds here in your favorite marina T-Mobile's data is pretty bad but still ... I could install Wireshark to try to see what is happening but it's not worth the effort.

    btw, this whole "security" schtick is getting real real old. In most cases there is absolutely no need for it. I don't keep nekkid pictures of me having sex with the dog on iCloud, if someone hacks into my precious woodenboat account and forges ten ridiculous posts it won't be any worse than what I already do, it's NOT about "security", it's about google making sure that no one can replace their ads with someone else's ads. Nothing on the internet is secure or ever will be and the sooner people accept that the better. Because of this idiot https craze we've lost a whole bunch of useful tools and added a layer of useless complexity to our lives. It sucks.

    I will now go re-log in to send this

    p.s. Yup, as predicted. If I am very quick I can do an edit before being kicked off again ... let's see ...

  4. #4
    Join Date
    Nov 2014
    Location
    Seattle, WA
    Posts
    3,918

    Default Re: If you are getting an expired token error when responding to a thread

    Quote Originally Posted by Favorite View Post
    It takes approximately fifteen seconds here in your favorite marina T-Mobile's data is pretty bad but still ... I could install Wireshark to try to see what is happening but it's not worth the effort.

    btw, this whole "security" schtick is getting real real old. In most cases there is absolutely no need for it. I don't keep nekkid pictures of me having sex with the dog on iCloud, if someone hacks into my precious woodenboat account and forges ten ridiculous posts it won't be any worse than what I already do, it's NOT about "security", it's about google making sure that no one can replace their ads with someone else's ads. Nothing on the internet is secure or ever will be and the sooner people accept that the better. Because of this idiot https craze we've lost a whole bunch of useful tools and added a layer of useless complexity to our lives. It sucks.

    I will now go re-log in to send this

    p.s. Yup, as predicted. If I am very quick I can do an edit before being kicked off again ... let's see ...
    Hm. Couple of thoughts here. First, "security" in this case is not about ads, or Google or any of that stuff. It's about preventing a malicious actor from compromising the WBF servers rather than security of your PC/browser/etc. And that's a very real issue. When I was MUCH younger and more naive than I am now I once set up an open, anonymous FTP site to store some files that I was using on a website. It wasn't on a public domain - just available by an IP address - so I figured it would be safe enough for a while at least. Boy was I mistaken. It took less than a week for someone to dump several GB of pornography images onto it. That could happen to the WBF just as easily, so Scot and crew need to be on guard there.

    That said, 15 seconds is way too short. That has nothing to do with the normal security token timeout and that's definitely not the WBF software making that happen. Sounds more like a browser compatibility issue or a client config setting. With any luck I'll be in Blaine tomorrow and could take a look at your settings to see if I can solve it. Trying to wrap up all my critical projects so I can go cruising...
    - Chris

    Life is short. Go boating now!

  5. #5
    Join Date
    Apr 2005
    Location
    Hills of Vermont, USA
    Posts
    30,262

    Default Re: If you are getting an expired token error when responding to a thread

    I moved this from Ron's thread to here:

    Quote Originally Posted by Favorite View Post
    Developers should be forced to do their work on a Pentium 90. That way the useless barstadges would see what it's like for normal people. Every cute little jumping bunny rabbit they think up gobbles extra cycles and on paid-for data plans, costs someone money.

    And I thought the [blink]blink tag[/blink] was bad
    I worked for a company that was talked into a web site that was 100% flash (& cost 100K in 2001 dollars). Forgetting about how bad flash is for a moment, imagine trying to load a flash site on dialup. I had them do a survey & they found that 45% of their users were on dialup & 30% on DSL - but the reaction in the marketing dept. (don't get me started) was that they should upgrade. When I said "To what?" they were shocked to learn that some people in rural areas don't have cable or fiber.

    The world is full of idiots!
    "If it ain't broke, you're not trying." - Red Green

  6. #6
    Join Date
    Oct 2018
    Location
    lagunitas, ca, usa
    Posts
    632

    Default Re: If you are getting an expired token error when responding to a thread

    Quote Originally Posted by cstevens View Post
    Hm. Couple of thoughts here. First, "security" in this case is not about ads, or Google or any of that stuff. It's about preventing a malicious actor from compromising the WBF servers rather than security of your PC/browser/etc.
    https has nothing to do with that. That's been the same since the beginning of time (if you'll remember one of the Mickeysoft complaints about IBM was that "those old fuddy-duddies are crazy about 'security' ! Ha ! Old fuddy-duddies !")

    Proper setup of a web site is not the same as the modern obsession with https. Timing me out in fifteen seconds does not do anything to safeguard woodenboat's servers. Users should never have access to woodenboat's servers. If they do, it's a giant fubar on the admin's part.

    https is about advertising -- it's about the security of google's advertising income. That's why they were the ones pushing this dog poo.

  7. #7
    Join Date
    Apr 2005
    Location
    Hills of Vermont, USA
    Posts
    30,262

    Default Re: If you are getting an expired token error when responding to a thread

    I think you forgot the <rant></rant> tags...

    Like Chris, I don't think the 15 second timeout is a WBF/vBulletin thing. I have never seen it. In fact, I just - between the typing of the last sentence & this one - went upstairs, poured a cup of coffee, made a couple of pieces of toast, came back down, stoked the woodstove, and sat back down & typed this. Had to have been at least 5 minutes - with this same reply open all the time.

    We can agree to disagree about HTTPS...
    "If it ain't broke, you're not trying." - Red Green

  8. #8
    Join Date
    Nov 2014
    Location
    Seattle, WA
    Posts
    3,918

    Default Re: If you are getting an expired token error when responding to a thread

    Not to be pedantic, but... (I think I'm going to start all future WBF posts with the phrase "not to be pedantic, but..." if only as a reminder to, you know, not be pedantic!) But in any case, the security token issue I was talking about has nothing to be with https. It's designed to prevent what's called a "CSRF" attack. CSRF being "cross-site request forgery", in which the attacker spoofs a user's session to acquire their rights on the server.

    One may ask "how important could that possibly be to a forum site dedicated to an arcane and somewhat nerdy topic like wooden boats"? And it's true that the financial rewards to any attacker are likely to be slim. However the potential costs to the hosting organization and to Scot's time and general well-being in responding to any attack could be very high. Even if the attacker is only spamming the site with ads for p$$$s en$$$$$ment products and the like. Or is it Russian brides these days? I'm out of touch with the current trends in sleazy spambotware.

    I used to provide support for a number of websites, including a web portal for the Microsoft Digital Crimes Unit and a site for a mid-tier regional bank. Once you start playing with stuff that people really do want to attack it's a whole new level of agita. Hence the "used to". I've been dragged out of bed on far too many nights to address some issue with a website to ever think casually about security.

    That said, I'll agree that the recent push by Google to require HTTPS for sites that they list is partially driven by business objectives rather than security. It's one more factor that they can use to increase the quality of their ad traffic, which increases click-through rates and improves ad revenues. They did something similar with mobile compatibility as well. But I'd still venture that increased security and improved mobile compatibility are generally good, even so.

    And now that you have waded through my not-at-all-pedantic screed on the nature of internet freedom, security and the seedy underside of the interwebs, I have one thought on the rapid timeout:

    Favorite, is your system time set correctly for our time zone? If not that could be the problem right there. Security tokens and other security mechanisms, including HTTPS, often rely an accurate system time. Worth checking at least. Make sure your PC is set to the correct time zone and local time and see if that makes a difference.
    - Chris

    Life is short. Go boating now!

  9. #9
    Join Date
    Oct 2018
    Location
    lagunitas, ca, usa
    Posts
    632

    Default Re: If you are getting an expired token error when responding to a thread

    Quote Originally Posted by cstevens View Post
    ... the security token issue I was talking about has nothing to be with https. It's designed to prevent what's called a "CSRF" attack. CSRF being "cross-site request forgery", in which the attacker spoofs a user's session to acquire their rights on the server.
    But that's my point. As a user out in the wild and woolly world, I should never have any important rights on the woodenboat server. Read-write to a jail okay but not at root level, for sure.

    Since users can't really do doodly (or should not be able to) then it's an issue of no importance. For a bank, impersonating another customer could be bad. But here ? Who cares ?

    This is like flying an SR-71 to get to SFO. It's not only pointless, it detracts from usability and reliability.

    One may ask "how important could that possibly be to a forum site dedicated to an arcane and somewhat nerdy topic like wooden boats"?
    That's not just a rhetorical question. We can all admit that it would be plain old stoopid to drive an eighteen-wheeler down to the 7-11 for a quart of milk. So why do "developers" insist on the same methods for every single website ? It's retarded. Most websites would be better served - and us users for sure, by a return to Berners-Lee's original, pre-Netcrap, pre-Mickeysoft www. Current websites are generally total crap. You can't find what you want, while they pummel you with stupid advertising garbage that's not anywhere related to why you came there.

    The state of the web ? Garbage.

    [I just bought an airplane ticket, if you want to know why I am so anti-web at the moment. Could they invent a worse torture even if they tried ?]

    I have one thought on the rapid timeout:

    Favorite, is your system time set correctly for our time zone? If not that could be the problem right there. Security tokens and other security mechanisms, including HTTPS, often rely an accurate system time.
    I bet you are right. And I am not going to change my time zone to suit someone else's convenience. Remember the original goals of the web ? The guy who invented the www ? "Presentation is up to the user." He put a great deal of effort into creating a system that would work on any platform.

    Which the advertising creeps promptly destroyed

    "You need to update your browser !"

    Well, no, not exactly. I can just go away and never use your stupid website again, instead.

    If I sell someone a set of tires that don't fit, do I get to tell him "Oh sorry, some problem with your car, you can buy new wheels tho and it'll work, hrrr hrrr hrrr" ? I mean c'mon. Software is really ____________.

    Jim Clark is an ignorant jerk, as proven by the total fiasco that was his boat

    But a few other places I go to occasionally also on vbportal do not do this, so I am thinking it is not a vbportal issue. It's something that only Woodenboat (at least so far) does.
    Last edited by Favorite; 04-11-2019 at 02:02 PM.

  10. #10
    Join Date
    Apr 2005
    Location
    Hills of Vermont, USA
    Posts
    30,262

    Default Re: If you are getting an expired token error when responding to a thread

    There's no doubt that vBulletin could be configured better here. However - do remember that the IT dept. consists of Scot who also runs the store & it's also a free services.

    As far as the HTTPS rant goes - I don't see the WBF using it. My link to this thread is

    Code:
    http://forum.woodenboat.com/showthread.php?252820-If-you-are-getting-an-expired-token-error-when-responding-to-a-thread&p=5866139#post5866139
    Plain old http.

    However - you may not want to change your time zone & that's fine - but maybe try a test of the forum with the correct zone & time?
    "If it ain't broke, you're not trying." - Red Green

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •