[Mailman-Users] You gave the wrong password - how to solve this?
Stephen J. Turnbull
stephen at xemacs.org
Wed Nov 26 16:58:24 CET 2014
Ulf Dunkel writes:
> When I try
>
> <http://<mydomain>/mailman/admin/<listname>/members/remove?send_unsub_ack_to_this_batch=1&send_unsub_notifications_to_list_owner=0&unsubscribees_upload=<user_email>>
>
> instead (without the adminpw stuff), I get this funny error on the webpage:
>
> ----- snip -----
> Error: The form lifetime has expired. (request forgery check)
> ----- snap -----
That is odd.
> Is there any chance to proceed with URLs like the one above and using
> the web interface with the need to enter the admin password in the browser?
I would think it would work as you expect. I suspect the problem has
something to do with what is called "cross-site request forgery"
(CSRF). The technique for combatting that requires that you *start*
by entering the appropriate page, which provides a digitally signed
one-time authorization token, which expires after a fairly short
period. You then send the token back when you fill in the form, thus
proving that you've followed the correct procedure. I suspect absence
of a token is being treated the same as an expired token. I hope it's
a bug and can be fixed, but I don't know much about that part.
Hopefully Mark has an answer to this one.
More information about the Mailman-Users
mailing list