CSRF caching, multiple pages / destroyed session

Yii 2.0 General Discussions
1

Hello all,

I made a submit form on a page, but sometimes it happens that it says "Unable to verify your data submission.". But it never happens when we fill out the form. So i asked the visitors why it happend, it turns out if you open multiple pages of the same page this happens or if you wait long enough that the session expires, it also happens.

What could be a cure to solve this problem? I thought about putting the CSRF in a session, but i dont think this is what is suppossed todo, since the CSRF is unique on every page.

2

I noticed, that the HTTP_COOKIE/COOKIE csrf is different that was submitted:




$_POST = [

    '_csrf' => 'J9Vw7IW8_bQMv6QhIvVLsLF75XkNLQJ2caLNiVK6IooFLZYY4qteFvB4XhMzk8108_lg6STL2ND5cZSWhLK4SA=='

...







$_COOKIE = [

    '_csrf' =>

'3b1a881e46a7f0430839e811b8218f581c550983cc32758e4ab11b277d3aa7caa:2:{i:0;s:5:\"_csrf\";i:1;s:32:\"w@ Ú GBšyÎZƤ<s /œ Ê ­.

²K!$ö ,€\";}'

...







$_SERVER = [

    'HTTP_COOKIE' => 'cookieMessage=1;

PHPSESSID=...;

_language=...;

_csrf=3b1a881e46a7f0430839e811b8218f581c550983cc32758e4ab11b277d3aa7caa%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22w%40%90%DA%8FGB%9Ay%CEZ%C6%A4%3Cs%08%2F%9C%9D%CA%08%AD.%0D%B2K%21%24%F6%8F%2C%80%22%3B%7D;

...

How is this possible?

3

If the session expires then it’s expected to fail. Opening multiple pages at once could be a reason too cause token may get regenerated by another page.

4

Thank you for answering, what would your suggestion be? Disabling CSRF isn’t the best idea.

5

It could be another thing. In master we’ve fixed a bug with binary data in CSRF cookies so you can try updating to code from master and see if it helps. Be aware though that master isn’t stable between releases and may contain bugs.

6

Thank you, ill put it live when there is a new release (it only happens on the live version).

At this moment we are running 2.0.12 live.