github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-24 06:15:28 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

In the case of an expired nonce, return a 400 status code instead of a 500.

Browse Source 
500 status codes are for unexpected server-side error scenarios. When an expired nonce is used by the client, a 4XX-level error is more appropriate because the client has submitted a bad request (by using an expired nonce). A 500 also causes Internet Explorer to show its default 500 page which does not show the error message and leads to a bad end user experience. I am choosing 400 for the new status rather than 401 or 403 because 401 requires a WWW-Authenticate header which would be difficult to generate in an SSO scenario and a 403 implies that no re-authentication will address the failure.
This commit is contained in:
Andrew Huling 2015-05-13 11:26:07 -04:00
parent 4451c8802a
commit e1d2ecef10
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/session_controller.rb
View File

@ -57,7 +57,7 @@ class SessionController < ApplicationController
sso = DiscourseSingleSignOn.parse(request.query_string)
if !sso.nonce_valid?
return render(text: I18n.t("sso.timeout_expired"), status: 500)
return render(text: I18n.t("sso.timeout_expired"), status: 400)
end
if ScreenedIpAddress.should_block?(request.remote_ip)