New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
400 Bad Request (AuthSecurityException) on login form, latest development branch #818
Comments
This is an chrome issue related, the browser was making some additional request every time you post data without using 'https', it worked well using a new chrome user profile. |
I am experiencing it exactly the same in FF as well, using HTTPS on Also discovered something related to Debug mode / DebugKit... Adding this (or some variation) to the default
Or conditionally added with That prevents the debug toolbar from showing the login. I suspected that's what causes it, but it doesn't seem to have an effect |
But I experience the issue with and without Debug enabled in I tried it on another Chrome profile as well -- not a new one, but one that hadn't visited the URL before. Also Incognito mode, of course... I get the error every time |
I checked ngninx logs and it was sending two request on submit the form, one GET and one POST request. Also this happens for any page with form, tested without the plugin and got same results. You could also test using nginx and check the access log. |
Ah thanks, I'll check those logs.. That said, sounds like a potential issue with Cake! |
@groovenectar I did some checks yesterday too, but I was not able to reproduce the issue. Could you please zip & share the project (if it's a test app) and I'll use exactly your configured docker environment here to reproduce the issue? Thanks, |
Sure thing @steinkel, I'll look for you in the channel and send encrypted zip |
@rochamarcelo Here are my Nginx access logs when I go to login using FF (I do get the Bad Request):
And in Chrome:
The only difference with Chrome is that it reloads the CSS on the error page... This is with debug mode off |
Same here: CakePhp 3.8. |
For CakePHP 3.8 I suggest you to use any 8.x version of users plugin and the 9.x version for CakePHP 4 |
A video of the issue: https://i.vgy.me/nn2al7.mp4
Fresh install of Cake 3.8, and using the documentation from the develop branch
The error seems to come from
vendor/cakephp/cakephp/src/Controller/Component/SecurityComponent.php
in the_validatePost()
method:The
hash_equals
check is always returning false.Even if I edit the
login.ctp
and add:It still happens. It appears that the user is logged in, but it doesn't POST properly.
In
./vendor/cakedc/users/src/Controller/AppController.php
, if I comment out this line://$this->loadComponent('Security');
There is no error, but I'm trying to figure out why the default configuration breaks with the Security Component enabled...
Edit: I also tried downgrading to Cake 3.7, with the same result...
The text was updated successfully, but these errors were encountered: