Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-50881

Calendar throws a moodle_exception when accessed by bots

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.8.6, 2.8.7, 2.9, 2.9.1
    • Fix Version/s: 2.8.8, 2.9.2
    • Component/s: Calendar
    • Labels:
    • Testing Instructions:
      Hide
      1. Disable cookies (pretend you are bot)
      2. Click on calendar month on the site home page
      3. Click on "Hide global events"
      4. Make sure there is no exception
      5. Enable cookies
      6. Click on calendar month on the site home page
      7. Click on "Hide global events"
      8. Make sure the eye becomes closed
      Show
      Disable cookies (pretend you are bot) Click on calendar month on the site home page Click on "Hide global events" Make sure there is no exception Enable cookies Click on calendar month on the site home page Click on "Hide global events" Make sure the eye becomes closed
    • Affected Branches:
      MOODLE_28_STABLE, MOODLE_29_STABLE
    • Fixed Branches:
      MOODLE_28_STABLE, MOODLE_29_STABLE
    • Pull Master Branch:
      wip-MDL-50881-master

      Description

      A calendar can be included on a page that does not require authentication. For example on the site front page, or a course that is open to the public. These pages can then be indexed by search bots, such as the Google Bot. Such bots do not accept session cookies.

      The calendar component contains links to the /calendar/set.php file. This file is used to set a session variable that indicates the users preference for the type of events that they want to see on the calendar. This page calls the require_sesskey() function.

      If a site has significant numbers of pages with a Calendar, that is indexed via a bot, a significant numbers of the following error are logged.

      Uncaught exception 'moodle_exception' with message 'Incorrect sesskey submitted, form not accepted'

      This is because the bot does not accept session cookies, and so the sesskey is invalid.

      If a site is using error monitoring / reporting software, the high error rate can cause false positive issues. If nothing else the logs get spammed with error messages.

      EXPECTED OUTCOME

      No exception is thrown, and no error message is logged, when the /calendar/set.php file is accessed without a valid session key.

      ACTUAL OUTCOME

      The above exception is throw and an error is output, when the /calendar/set.php file is accessed without a valid session key.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                14/Sep/15