On Fri, May 31, 2019 at 9:12 AM Theron Luhn <the...@luhn.com> wrote: > > > But what should I say? If it's not a real human then I can just return > an Internal Server Error, but if it's a person suffering a > malfunctioning server or network then i want to give a polite message. > and what would be the right thing to say? > > This is a good question. > > State mismatch happens more often than I intuitively expected, so you should > handle it gracefully.
That's what I'm concerned about because I don't know enough about what might cause it and who's to blame (hackers, malfunctioning server, user mistake, sunspots). When I implemented a CSRF token on the existing login page (authenticating via LDAP or a local db), users started complaining about getting Pyramid's default CSRF error and not understanding it and thinking the site was broken. The problem turned out to be that the session timeout was 30 minutes (redis.sessions.timeout = 1800) but users were leaving it at the login page longer than that. Apparently they open it in the morning or in a tab and then come back sometime later to log in. So I changed the implementation to treat that as an invalid form submission, so it reloads the page with the form and an error message, "Login attempt timed out. Please try again." This OAuth situation is more confusing because the user didn't cause the error and has no control over it: it's an internal problem between my server and the oauth server before the user is even involved. There are other similar situation such as the LDAP server timing out or giving an unrecognized response, so I have error messages for those, and also a novel one. Our LDAP servers sometimes do a socket reset (hangup) immediately on connection; it happens in bursts for five minutes or so and then fixes itself. So I catch that and say, "Authentication server error. Please wait a few minutes and try again." > I give an error message along the lines of “Something went wrong when signing > in, please try again” and then a link which starts the whole OAuth flow over > again. I'll probably treat it as an unexpected response like above. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To post to this group, send email to pylons-discuss@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAH9f%3DuonCAvYRcObu-tYg00NxoOv7d4_sX4PKxaabw4kc9rccQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
