-
Notifications
You must be signed in to change notification settings - Fork 624
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF error on login #722
Comments
It looks like the CSRF token gets cleared before the login controller loads, not sure why yet |
Weirdly I can't reproduce this anymore.. Closing it unless I see it again |
Received this error on 2.6.1 for the HHI SIM. It should be reopened. The error: http://dl.dropbox.com/u/34693557/Screenshots/9n.png It is on the latest version: Details:
Notes: One other person on the sim also received the same error Actions: |
More details. Reset password won't work. I can't actually login with the account I created. There is a message in the bottom left hand screen with 'javascript:toogle ('sign script'); Loop. |
The deployment : http://hsi2012.standbytaskforce.com The project Superadmin set up another account for me hleson@ushahidi.com. Attempted login via firefox after closing browser, new session. No luck. Chrome attempt
So I was unable to login via Chrome. Back to Firefox: the superadmin gave me this detail - http://dl.dropbox.com/u/34693557/Screenshots/9p.png from the admin dashboard. When I clicked on http://hsi2013.standbytaskforce.com/profile/user/heather, I was able to login (on firefox) Conclusions: |
has this been tested in 2.7b? |
@aoduor I've never found a reliable way to reproduce it on 2.6 so no haven't tested on 2.7. |
I'm completely at a loss - pinging @srutto can you help us test this? |
Also, @heatherleson which version of firefox/safari/chrome are you using? |
@heatherleson can someone from the HSI sim send us a copy of their application/config/cookie.php and application/config/session.php ? |
May have narrowed this down to a problem with outdated versions of browsers (just a hunch) Chrome More soon, as this continues to unfold |
My browser is always up to date- firefox 2.0 |
sent a note to the HHI Folks to collect details. |
Have you tested this in the past week? Do you mind testing it for me now with this version :)? |
Firefox 20 release April 4 - https://wiki.mozilla.org/RapidRelease/Calendar I am on auto upgrade. So during the simulation, I was on the latest FF version I can open a stack of windows, deployments and test. but I am unsure that the browser version relates to this cache/security notice. Happy to test |
From my investigation - it is a possibility. Would really appreciate it if you could test! |
OK. So I've found a login issue with the hsi2013 site. Login at Since this config means the session gets killed between EVERY request on hsi2012 - its possible it could trigger CSRF. |
@rjmackay @aoduor @heatherleson I've been testing on WinXP with IE8, and my biggest suspect thus far is the user_agent re: I'm realizing that there's the remote possibility that the user_agent is either changing or just null on some platforms. @rjmackay -- I'm suggesting we disable user_agent checking altogether, and just have it as
|
HSI 2012 url was meant to be a redirect to HSI2013 site since I took the hsi2012 site offline. |
@dkobia putting ip_address back in is a bad idea. I removed that originally because users were having issues any time they switched locations/connections since their IP changed. |
Issue popped up for a deployer using Safari Version 5.1.7 (6534.57.2). Tested with current version (6.0.4) and it works fine.. |
Closing this,open a new issue in case of anything. |
The login form always returns a CSRF error when loggin in from the popup login form on the main page.
The text was updated successfully, but these errors were encountered: