BUG? CSRF Security Alert with 2 Sales Reports Exports in a Row

[Dirty Butter]

While testing something I've been working on - I had occasion to run several Sales Reports Exports in a row. The first one works fine, but the second time I click on the Export button, I get the CSRF warning and it sends me back to the Admin Dashboard. This happens not only with the new MailChimp Report Bsmither helped me with, but also with my regular Sales Report export (not quite stock code, but essentially the same).

Could someone check their stock 6.0.12 Sales Report export? I just tried it on the CC Demo store (you have to filter all the way back to 2012 to find an order) - and it also will not allow 2 exports in a row without getting the CSRF warning.

So this looks like a bug.

[bsmither]

It is an unfortunate consequence of how the reports are downloaded from CubeCart.

Initiating an External Report download is equivalent to a POST. This will cause CubeCart to move through the wake-up cycle, notice something was POSTed (exactly the same as editing a product and saving some changes), dump the existing Security Token, and generate a new Security Token.

In any other instance, CubeCart then constructs a new web page, installs the new data and new Security Token into that page, and sends it to the browser.

However, for an External Report, the report is what is delivered, not a new web page. Thus, CubeCart has a new Security Token, but the browser still has the obsolete Token in the HTML. POSTing again with mis-matched Tokens, and this is what happens.

I agree it is a bug, but I am not sure how it can be solved. The problem is this: When a browser makes any kind of request, it will accept one and only one response. So, the desired action is to send the report as a downloadable file to the browser, and then also send a new web page. But the browser must be told to fetch it. A web server cannot push a web page to a browser that is not listening for one.

I think not even javascript can be told to have the browser accept two files with only one request.

At least a warning can be placed beneath the External Report buttons, that says "Reload this page after fetching your report."

What I think can be done is to create an interstitial page/link. That would be something like, when clicking on an External Report button, the report is actually saved in the /backup/ folder, and the Export button gets a companion standard file download link(s) under it.

[Dirty Butter]

Your idea of creating a download link in the backup folder would actually work to my advantage for the MailChimp export you helped me create, as I don't actually need to open the export - only save it to a known location.

Could you tell me what to do to implement this? I would like to use it on the mcreports export.

Hard to say if most people who make use of the Sales Report Export would prefer the Refresh Message or the save to the backup folder method. Either would work for my needs.