CSRF issue saving admin config #2724
Comments
|
We rewrote the CSRF protection for 3.2 to avoid these issues. Do you see the CSRF cookies in your browser devtools? |
|
Actually I do. It seems to create many of them. From the dashboard I had 1 cookie. Then clicked on Edit Configuration and it added another CSRF cookie now there are 2 cookies. But when I clicked on Users, it added several. Why would it do that?
|
|
Yes, that's correct. Every form gets its own cookie for the CSRF protection. |
|
Your bug report is the first one about the CSRF issue since the release of 3.2.0 back in September. It's quite hard to debug what happens in your browser. Can you test that on our demo installation? -> https://demo.phpmyfaq.de/ |
|
Do you have any feedback for me? |
|
no further feedback -> closed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
I wanted to open a separate issue for this because it goes back all the way to version 2.9 for me. I have been using this software for several years on version 2.9. I couldn't get the admin config to save no matter what I tried. I found this issue below
https://forum.phpmyfaq.de/viewtopic.php?f=3&t=14527
Removing the csrf check was the only thing that got it to work and was saving consistently in my other site running 2.9.
when I dump or try to print out this value
$csrfToken = Filter::filterInput(INPUT_POST, 'csrf', FILTER_SANITIZE_SPECIAL_CHARS);It's blank or empty. So that's why the if statement won't match in configuration.php around line 34.
But as of the latest phpmyfaq version it still has the same issue.
To Reproduce
Steps to reproduce the behavior:
Go to admin on a fresh install and try to make several changes. Note I have Basic Auth on for the admin URL, but that shouldn't cause any problems. I just don't want random people getting to the admin login page.
Expected behavior
It should save the config each and every time without fail
Screenshots
If applicable, add screenshots to help explain your problem.
phpMyFAQ (please complete the following information):
Desktop (please complete the following information):
Additional context
This has been going on for a very long time it seems all the way back to 2012 https://forum.phpmyfaq.de/viewtopic.php?f=3&t=14527.
There has to be an issue with the implementation of the CSRF because it's still an issue today. I hate to bring this up again but it's a legit issue. I don't know if it's a specific setup that only has the problem but it's there. I've had the problem with every install.
I only use RHEL distros e.g. Centos / Alma /Rocky etc., Postgres and whatever php it will work with. So I don't know why I and others have this issue.
The text was updated successfully, but these errors were encountered: