-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cake 4.0.5 to 4.0.6 upgrade: Missing CSRF token body Cake\Http\Exception\InvalidCsrfTokenException #14471
Comments
Must be related to #14431. |
Unfortunately we needed to change how the CSRF tokens were generated in this release, which is what is causing this mismatch. One way to help mitigate this would be to set a short expiry on your CSRF tokens for a period of time so that browsers clear the cookies and renew the cookie, or clear the CSRF token on logout/login/session expiration. |
Maybe we can update the bakery post to explain that the token is also generated differently instead of just saying we validate it better. |
I guess I will have to add something into the application to handle this when I upgrade to 4.0.6. Do you have anything in mind that can be done within cake internals to handle this instead? If so, I'll just wait until 4.0.7. Like, is there a way to detect the old style of token and expire the cookie automatically? This would probably assist the community. I've already seen one other user report this same issue in the slack chat. |
The previous style tokens will look like invalid ones to the new code. We could add a configuration option to continue accepting the previous style tokens. That would allow a smoother upgrade. |
Got the same error on a fresh new project i created an hour ago. When i submit the baked form i got the: "Missing CSRF token body". What should i do? Using 4.05? |
Hi, How can I solve? |
I wonder if one solution here is for Cake to read both tokens, but only write the new token. This would eventually phase out the problem tokens without causing issues for the user base. I haven't looked at the code myself, but maybe a cake core dev would know off the top of their head? |
After reading through 1cee60b a simple modification to protected function _validateToken(ServerRequestInterface $request): void
{
$cookie = Hash::get($request->getCookieParams(), $this->_config['cookieName']);
if (!$cookie) {
throw new InvalidCsrfTokenException(__d('cake', 'Missing CSRF token cookie'));
}
$body = $request->getParsedBody();
if (is_array($body) || $body instanceof ArrayAccess) {
$post = Hash::get($body, $this->_config['field']);
if (Security::constantEquals($post, $cookie)) {
return;
} else if ($this->_compareToken($post, $cookie)) {
return;
}
}
$header = $request->getHeaderLine('X-CSRF-Token');
if (Security::constantEquals($header, $cookie)) {
return;
} else if ($this->_compareToken($header, $cookie)) {
return;
}
throw new InvalidCsrfTokenException(__d('cake', 'Missing CSRF token body'));
} |
I think this is a reasonable solution and then remove support for old tokens in 4.1 as was brought up in #14431 |
@sharkooon @impronta48 I'm not able to reproduce the CSRF problems on delete actions. Have you checked to make sure that the forms created by FormHelper are including the If your application is hosted on the same domain as another CakePHP application you'll need to clear your cookies when going between applications as cookies are set per domain. @cnizzardini Accepting the old tokens is a reasonable compromise to me. Do you want to make a pull request for that change? |
@markstory I can if you are willing to wait a day or so. There is a failing unit test with my change, which makes sense given the change you made. No time tonight. |
@cnizzardini I'm good with waiting. If you need help with the tests you can open the pull request with the failing test and I can help out. |
PR has a failing unit test. I wasn't exactly sure how to tackle that. Interested in how that will be written now. |
Fixed in #14504 |
Hello, I'm using version 4.0.7, I got this error. I'm trying to use Login cakephp-tinyauth but after going through the form I get the error, from line 275 of the file /vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php I'snt was able to verify the return that the getHeaderLine ('X-CSRF-Token') try find, on line 270. And not exist X-CSRF-Token in $ request-> getHeaders (). |
Please open a new issue. |
@othercorey sorry. #14550 |
Version 4.1.2. Try edit form action and I get same error. |
I think this has been resolved @drzeitraum try upgrading to >= 4.0.9 |
@cnizzardini thank's, I think so too. Just check new v4. But still like 3.7 more |
I'm locking this. Please open a new ticket if you have an issue. |
This is a (multiple allowed):
bug
enhancement
feature-discussion (RFC)
CakePHP Version: 4.0.6
Platform and Target: Ubuntu 18 LTS, Apache, PHP 7.2 FPM
What you did
Missing CSRF token body Cake\Http\Exception\InvalidCsrfTokenException
What happened
This happens on any form submission. A workaround is clearing cookie, but iis it reasonable to force clearing this data on each release to avoid any potential CSRF errors? I have locked my CakePHP version to 4.0.5 for now.
Stack Trace:
middleware:
The site is also using the FormProtection component, but disabling this had no effect when debugging this.
What you expected to happen
Not to get this error.
The text was updated successfully, but these errors were encountered: