-
Bug
-
Resolution: Fixed
-
Major
-
2.8.6, 2.8.7, 2.9, 2.9.1
-
MOODLE_28_STABLE, MOODLE_29_STABLE
-
MOODLE_28_STABLE, MOODLE_29_STABLE
-
wip-
MDL-50881-master -
A calendar can be included on a page that does not require authentication. For example on the site front page, or a course that is open to the public. These pages can then be indexed by search bots, such as the Google Bot. Such bots do not accept session cookies.
The calendar component contains links to the /calendar/set.php file. This file is used to set a session variable that indicates the users preference for the type of events that they want to see on the calendar. This page calls the require_sesskey() function.
If a site has significant numbers of pages with a Calendar, that is indexed via a bot, a significant numbers of the following error are logged.
Uncaught exception 'moodle_exception' with message 'Incorrect sesskey submitted, form not accepted'
This is because the bot does not accept session cookies, and so the sesskey is invalid.
If a site is using error monitoring / reporting software, the high error rate can cause false positive issues. If nothing else the logs get spammed with error messages.
EXPECTED OUTCOME
No exception is thrown, and no error message is logged, when the /calendar/set.php file is accessed without a valid session key.
ACTUAL OUTCOME
The above exception is throw and an error is output, when the /calendar/set.php file is accessed without a valid session key.