Purging trash give me "This page request could not be verified and appears to have expired" in sidebar

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Purging trash give me "This page request could not be verified and appears to have expired" in sidebar

Ian Evans
Hi there,

Here's what happens: I delete a few messages then click on the purge link
in the menu sidebar. The sidebar menu frame disappears and is replaced with
a message saying "This page request could not be verified and appears to
have expired" and a link to go to the login page.

Returning to squirrelmail after a few yrs but never saw this message in
previous installations.

Running SquirrelMail version 1.4.23-SVN
Plugins:
    1. view_as_html
    2. compatibility
    3. auto_cc
    4. spam_buttons

PHP version PHP 5.5.3
Latest versions of nginx, dovecot and postfix

Thanks.
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: Purging trash give me "This page request could not be verified and appears to have expired" in sidebar

Paul Lesniewski
On Thu, Apr 17, 2014 at 10:53 AM, Ian Evans <[hidden email]> wrote:
> Hi there,
>
> Here's what happens: I delete a few messages then click on the purge link
> in the menu sidebar. The sidebar menu frame disappears and is replaced with
> a message saying "This page request could not be verified and appears to
> have expired" and a link to go to the login page.

Do you have the folder list set to refresh itself?  Sounds like you
might not and the security token in that page has expired.

> Returning to squirrelmail after a few yrs but never saw this message in
> previous installations.
>
> Running SquirrelMail version 1.4.23-SVN
> Plugins:
>     1. view_as_html
>     2. compatibility
>     3. auto_cc
>     4. spam_buttons
>
> PHP version PHP 5.5.3
> Latest versions of nginx, dovecot and postfix

--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: Purging trash give me "This page request could not be verified and appears to have expired" in sidebar

Ian Evans
On Wed, Apr 23, 2014 at 6:14 PM, Paul Lesniewski <[hidden email]>wrote:

> On Thu, Apr 17, 2014 at 10:53 AM, Ian Evans <[hidden email]> wrote:
> > Hi there,
> >
> > Here's what happens: I delete a few messages then click on the purge link
> > in the menu sidebar. The sidebar menu frame disappears and is replaced
> with
> > a message saying "This page request could not be verified and appears to
> > have expired" and a link to go to the login page.
>
> Do you have the folder list set to refresh itself?  Sounds like you
> might not and the security token in that page has expired.
>

Ran squirrelmail-configure but then realized it was maybe a personal
option. Anyway...it's set for 10 minutes. I'll make it shorter and see if
it helps.

Thanks.
------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: Purging trash give me "This page request could not be verified and appears to have expired" in sidebar

Ian Evans
In reply to this post by Paul Lesniewski
On Wed, Apr 23, 2014 at 6:14 PM, Paul Lesniewski <[hidden email]>wrote:

> On Thu, Apr 17, 2014 at 10:53 AM, Ian Evans <[hidden email]> wrote:
> > Hi there,
> >
> > Here's what happens: I delete a few messages then click on the purge link
> > in the menu sidebar. The sidebar menu frame disappears and is replaced
> with
> > a message saying "This page request could not be verified and appears to
> > have expired" and a link to go to the login page.
>
> Do you have the folder list set to refresh itself?  Sounds like you
> might not and the security token in that page has expired.
>
>
>
Just to update you. The folder refresh was at 10 minutes. I took it down to
1 minute, but I'm still seeing the security token message.

Thanks.
------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: Purging trash give me "This page request could not be verified and appears to have expired" in sidebar

Paul Lesniewski
On Fri, Apr 25, 2014 at 5:03 PM, Ian Evans <[hidden email]> wrote:

> On Wed, Apr 23, 2014 at 6:14 PM, Paul Lesniewski <[hidden email]>
> wrote:
>>
>> On Thu, Apr 17, 2014 at 10:53 AM, Ian Evans <[hidden email]> wrote:
>> > Hi there,
>> >
>> > Here's what happens: I delete a few messages then click on the purge
>> > link
>> > in the menu sidebar. The sidebar menu frame disappears and is replaced
>> > with
>> > a message saying "This page request could not be verified and appears to
>> > have expired" and a link to go to the login page.
>>
>> Do you have the folder list set to refresh itself?  Sounds like you
>> might not and the security token in that page has expired.
>
> Just to update you. The folder refresh was at 10 minutes. I took it down to
> 1 minute, but I'm still seeing the security token message.

How recent was your download?  Did you apply any patches, etc?  Does
it work if you disable security tokens (not recommended as a long term
solution)?  Do other actions succeed (all form submits, such as
preference pages and message composition should send a security
token)?  Please try without any plugins activated.

What is the full link target URL for the purge trash link?  If the
problem persists and especially if only this link is causing the
problem, you'll probably have to do some sleuthing on your system,
since I don't think anyone has ever seen this before.

--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: Purging trash give me "This page request could not be verified and appears to have expired" in sidebar

Ian Evans
On Sat, Apr 26, 2014 at 2:03 AM, Paul Lesniewski <[hidden email]>wrote:

> On Fri, Apr 25, 2014 at 5:03 PM, Ian Evans <[hidden email]> wrote:
> > On Wed, Apr 23, 2014 at 6:14 PM, Paul Lesniewski <[hidden email]>
> > wrote:
> >>
> >> On Thu, Apr 17, 2014 at 10:53 AM, Ian Evans <[hidden email]>
> wrote:
> >> > Hi there,
> >> >
> >> > Here's what happens: I delete a few messages then click on the purge
> >> > link
> >> > in the menu sidebar. The sidebar menu frame disappears and is replaced
> >> > with
> >> > a message saying "This page request could not be verified and appears
> to
> >> > have expired" and a link to go to the login page.
> >>
> >> Do you have the folder list set to refresh itself?  Sounds like you
> >> might not and the security token in that page has expired.
> >
> > Just to update you. The folder refresh was at 10 minutes. I took it down
> to
> > 1 minute, but I'm still seeing the security token message.
>
> How recent was your download?  Did you apply any patches, etc?  Does
> it work if you disable security tokens (not recommended as a long term
> solution)?  Do other actions succeed (all form submits, such as
> preference pages and message composition should send a security
> token)?  Please try without any plugins activated.
>
> What is the full link target URL for the purge trash link?  If the
> problem persists and especially if only this link is causing the
> problem, you'll probably have to do some sleuthing on your system,
> since I don't think anyone has ever seen this before.
>
>
>
I dlownloaded it a couple of weeks ago. No patches.

Where do I change security tokens? In squirrelmail-configure? And is it
much of an issue disabling it if there's only two of us in the company?

The trash purge link is
https://www.example.com/squirrelmail/src/empty_trash.php?smtoken=cgbvXEN66stI

Obviously not example.com :-)
------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: Purging trash give me "This page request could not be verified and appears to have expired" in sidebar

Paul Lesniewski
"

On Sat, Apr 26, 2014 at 4:25 AM, Ian Evans <[hidden email]> wrote:

> On Sat, Apr 26, 2014 at 2:03 AM, Paul Lesniewski <[hidden email]>
> wrote:
>>
>> On Fri, Apr 25, 2014 at 5:03 PM, Ian Evans <[hidden email]> wrote:
>> > On Wed, Apr 23, 2014 at 6:14 PM, Paul Lesniewski <[hidden email]>
>> > wrote:
>> >>
>> >> On Thu, Apr 17, 2014 at 10:53 AM, Ian Evans <[hidden email]>
>> >> wrote:
>> >> > Hi there,
>> >> >
>> >> > Here's what happens: I delete a few messages then click on the purge
>> >> > link
>> >> > in the menu sidebar. The sidebar menu frame disappears and is
>> >> > replaced
>> >> > with
>> >> > a message saying "This page request could not be verified and appears
>> >> > to
>> >> > have expired" and a link to go to the login page.
>> >>
>> >> Do you have the folder list set to refresh itself?  Sounds like you
>> >> might not and the security token in that page has expired.
>> >
>> > Just to update you. The folder refresh was at 10 minutes. I took it down
>> > to
>> > 1 minute, but I'm still seeing the security token message.
>>
>> How recent was your download?  Did you apply any patches, etc?  Does
>> it work if you disable security tokens (not recommended as a long term
>> solution)?  Do other actions succeed (all form submits, such as
>> preference pages and message composition should send a security
>> token)?  Please try without any plugins activated.
>>
>> What is the full link target URL for the purge trash link?  If the
>> problem persists and especially if only this link is causing the
>> problem, you'll probably have to do some sleuthing on your system,
>> since I don't think anyone has ever seen this before.
>
> I dlownloaded it a couple of weeks ago. No patches.
>
> Where do I change security tokens? In squirrelmail-configure?

Yes ("Disable secure forms")

> And is it much
> of an issue disabling it if there's only two of us in the company?

Number of people is not very relevant (although the savvy of said
users might be).  It makes your installation vulnerable to CSRF
attacks.  You might at least try enabling referrer checks if you do
this.

> The trash purge link is
> https://www.example.com/squirrelmail/src/empty_trash.php?smtoken=cgbvXEN66stI

Looks fine.  Is the problem reproducible - can you log out, log back
in, click on purge and get the error?  Is the date/time/time zone set
correctly on the server?

You can look at what PHP thinks is the current time and the tokens
SquirrelMail has in memory by going into functions/strings.php, on
about line 1441, you should see:

   $tokens = sm_get_user_security_tokens(FALSE);

After that line, add this:

sm_print_r('Current Time: ' . time(), $tokens);

You can just compare the numbers themselves, but if you want to
convert them into dates, you can use one of many sites such as
epochconverter [dot] com


--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: Purging trash give me "This page request could not be verified and appears to have expired" in sidebar

trentlacoye
This post has NOT been accepted by the mailing list yet.
In reply to this post by Ian Evans
This is a race condition with the tokens array.  When there is trash to purge, both frames are generating new tokens at the same time and one ends up overwriting the other in the database, usually the message list frame wins. As a result the token that the folder list frame generated doesn't make it to the database, and the 'purge' link ends up being invalid and showing the message that you quoted in this subject. I've tried different things to get around this but still make the tokens work, but haven't found a viable solution yet. I've tried $do_not_use_single_token = TRUE but that doesn't fix it. I've even tried delaying the draw of the folder list frame and that helps a lot but still doesn't work 100% of the time.