Defect #7651

'Invalid form authenticity token' when updating issue causes dataloss

Added by sam marshall over 11 years ago. Updated over 6 years ago.

Status:NewStart date:2011-02-18
Priority:NormalDue date:
Assignee:-% Done:


Target version:-
Resolution: Affected version:


When updating an issue to add a comment, if your session is no longer valid, you receive the error:

'Invalid form authenticity token.'

While this part is correct behaviour, it causes dataloss because:

a) The page with the error does not contain the text of the comment you submitted.
b) At least in Firefox 3.6, the Back button returns to the issue you were updating, but without the text.

I don't operate the redmine server in question, but I verified that this still occurs on, so it is a current issue.

To reproduce:

0. Use the Firefox browser with web developer extension (or any other browser with similar features)

1. Go to an issue
2. Click Update
3. Type some text into a comment
4. In the web developer toolbar, choose Cookies / Clear Session Cookies
5. Submit the comment
6. Error page appears

Actual behaviour:

Error page does not contain text you entered in #3. If you click the Back button, you are returned to the form but without your text.

Expected behaviour:

Error page should additionally contain the text of the comment you entered. Or, alternatively, the Back button should take you to the update page that includes your text.


1) Clearing session cookies is fairly common behaviour when testing web applications. While it's obvious that doing this will break a Redmine session (i.e. you shouldn't do it), Redmine doesn't have to add injury to insult by causing annoying dataloss as a result.

2) Other form data is probably lost too but who cares - it's the potentially page-long comment that can be really annoying.

3) I haven't verified what happens with other update form errors such as simultaneous edit. If the same thing happens there, then those could benefit from being fixed, too.


#1 Updated by Alberto Fanjul Alonso over 6 years ago

Any progress on this? It's really annoying to lose comments or modifications. Why not just stop redirection if there's no authenticity token. That easily solve the problem

Also available in: Atom PDF