False CSRF attack error when logging in #756

Closed
phyreman opened this Issue Aug 2, 2012 · 14 comments

Comments

Projects
None yet
6 participants

phyreman commented Aug 2, 2012

When trying to log into the latest version I get the following error: "The request could not be validated. Possible CSRF attack"

Owner

rjmackay commented Aug 6, 2012

What version is this happening in?

phyreman commented Aug 6, 2012

v2.5

Owner

aoduor commented Aug 7, 2012

Confirming this on Crowdmap(which is on v2.5).

tkembo commented Aug 31, 2012

I'm having the same issue with version 2.5 here

Nhorning commented Sep 4, 2012

Same problem here. I was able to reset my password manually in the database, and log in through firefox and chrome through linux, but I can't log in through windows, and my users can't either.

attempt to make a new user (via pat tressel) results in >application/libraries/Validation.php [583]:
call_user_func() expects parameter 1 to be a valid callback, function 'length[]' not found or invalid function name

Owner

rjmackay commented Sep 4, 2012

@Nhorning that error when creating a new users is unrelated, you need to create application/config/auth.php
which should have been created by the installer.
the auth.password_length settings isn't being set otherwise.

Can you clear all caches in the browser on windows and try again? CSRF tokens are tied to user sessions, and so tied to the user cookie.

I've got users intermittently hitting this bug too but I'm having real trouble reproducing it enough to fix. Any extra info you can provide is great.

Nhorning commented Sep 4, 2012

Ok, I solved that above with the help of Pat Tressel. It might be related to the False CSRF attack as well.

I didn't have an application/config/auth.php file. I needed to find a copy of it from a backup of my old deployment and use it.

Nhorning commented Sep 4, 2012

Was in the middle of writing the above when your message appeared...

Contributor

heatherleson commented Sep 12, 2012

Any update on the roadmap to fix this bug?

Owner

rjmackay commented Sep 12, 2012

Quick and dirty fix is to disable CSRF checks on login, since they're only a minor security concern there.
However I'm not clear if this is connect to other CSRF error elsewhere

Owner

rjmackay commented Sep 12, 2012

This might be linked to session validation, as I seem to get issues after I change connections (and thus IP address)
Try changing this line in application/config/session.php
$config['validate'] = array('user_agent', 'ip_address');
to
$config['validate'] = array('user_agent');

@rjmackay rjmackay added a commit that referenced this issue Sep 12, 2012

@rjmackay rjmackay Extra CSRF debug logging #756 2dfa928

@rjmackay rjmackay added a commit that referenced this issue Sep 12, 2012

@rjmackay rjmackay Skip CSRF validation during login #756
We don't really need CSRF validation when logging in.
Forging a login request would be a bit pointless, though this
does make brute forcing the login form easier
506d91f

@rjmackay rjmackay added a commit that referenced this issue Sep 12, 2012

@rjmackay rjmackay Don't validate session IP address #756
This seemed to be causing CSRF failures. It should have simply
reset the session at most causing a single failure, but the
CSRF validation continued failing on repeated requests.
Remove IP validation, and enabling validation on session
expiration since we might as well have that.
afdbe11
Owner

rjmackay commented Sep 12, 2012

@phyreman any chance you could test this out with my recent commits and see if that works for PHPFog?

rjmackay was assigned Sep 12, 2012

@rjmackay Sure thing.

@rjmackay Works like a charm. Was able to create a new Ushahidi install and log in without any problems.

@rjmackay rjmackay added a commit to rjmackay/Ushahidi_Web that referenced this issue Sep 14, 2012

@rjmackay rjmackay Extra CSRF debug logging #756 ea44bd2

@rjmackay rjmackay added a commit to rjmackay/Ushahidi_Web that referenced this issue Sep 14, 2012

@rjmackay rjmackay Skip CSRF validation during login #756
We don't really need CSRF validation when logging in.
Forging a login request would be a bit pointless, though this
does make brute forcing the login form easier
67b133d

@rjmackay rjmackay added a commit to rjmackay/Ushahidi_Web that referenced this issue Sep 14, 2012

@rjmackay rjmackay Don't validate session IP address #756
This seemed to be causing CSRF failures. It should have simply
reset the session at most causing a single failure, but the
CSRF validation continued failing on repeated requests.
Remove IP validation, and enabling validation on session
expiration since we might as well have that.
13007e4

rjmackay closed this Sep 16, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment