Unable to verify your data submission since updated to 2.0.14

[cluwong]

What steps will reproduce the problem?

Submit a form.

What is the expected result?

Form is submitted - data is saved or whatever the the form is supposed to do.

What do you get instead?

yii\web\BadRequestHttpException: Unable to verify your data submission. in /var/www/my.uhub.biz/vendor/yiisoft/yii2/web/Controller.php:166

Additional info

I haven't been able to submit any forms since updated to 2.0.14. Have updated to 2.0.14.1 and still same error. Have tried to clear all browser cookies, restart services and server, but still cannot submit forms. Form can be submitted if csrf is disabled but this is not an option.
Fall back to V2.0.13.1 and it works as intended.

Q	A
Yii version	2.0.14 and 2.0.14.1
PHP version	7.0.22
Operating system	Ubuntu 16.04

[frontbear]

Did you follow this? http://www.yiiframework.com/doc-2.0/guide-security-best-practices.html#avoiding-csrf

[cluwong]

@frontbear the link is about disabling csrf, which I followed to disable csrf and am able to submit the form. However I don't want to do that for security reason.

If downgrade back to 2.0.13 forms can be submitted. It's when updated to 2.0.14+ it forms can't be submitted and gets 'Unable to verify your data submission' error.

[rosancoderian]

its similiar to bug that i encounter, maybe related?

[cluwong]

@rosancoderian I had a look at your issue and it seems to related to performance. I've been upgrading Yii fairly regularly and haven't noticed any performance issues. My only issue with the latest release is unable to submit forms.

[SilverFire]

Failed to reproduce. Please, supply more info, including request component config and action source code

[yii-bot]

Thanks for posting in our issue tracker.
In order to properly assist you, we need additional information:

• When does the issue occur?
• What do you see?
• What was the expected result?
• Can you supply us with a stacktrace? (optional)
• Do you have exact code to reproduce it? Maybe a PHPUnit tests that fails? (optional)

Thanks!

This is an automated comment, triggered by adding the label status:need more info.

[cluwong]

@SilverFire, thanks for looking into this. I'd say this is not easily reproduced as it works in 2.0.13 but not 2.0.14+. Here are info as per request. Please let me know if you need any more info.

In frontend/config/main.php:

'components' => [
        'request' => [
            'csrfParam' => 'csrf-frontend',
        ],
        'session' => [
            'name' => 'xxx-frontend',
        ],
],

As mentioned in original ticket it happens to all actions handling post data. Here's one that saves a record:

public function actionUpdate($id)
    {
        $model = $this->findModel($id);

        if ($model->load(Yii::$app->request->post())) {

            if ($model->save()) {
                return $this->redirect(['index']);
            }
        }
        return $this->render('update', ['model' => $model]);
    }

[SilverFire]

Could you try to reproduce it on basic app template?

[sartor]

I have the same issue since I have upgraded to 2.0.14.1 from 2.0.13. It happens rarely but for loaded project it is significant amount of bad requests apeared

[schmunk42]

Could you check if this is related to output created by echos instead of returning the content/data of the controller? Ie. during AJAX validation.

Possibly related: #15782

[sartor]

I can't reproduce it on my local developer machine. It is happened rarely on production. I'll keep trying to find

[sartor]

The problem with "remember me". Commit with breaking changes is 6c0540a

Steps to reproduce:

1. Login with default yii2 auth functionality
2. Load a page with any AJAX post request
3. Remove cookie PHPSESSID
4. Submit post request

Problem because of regenerating csrf token while restoring session from "remember me" token.

[samdark]

@sartor yes, that seems valid but I'm not sure how to solve that since not regenerating causes possible security issues.

[sartor]

May be it is possible to not regenerate session if it is recovered from "remember me" token? Is it a security breach?

[samdark]

Possibly not. Need to review it in detail.

[cluwong]

My issue isn't related to just AJAX. It's any post - AJAX, form or even via links.

Thanks @sartor who mentioned 'remember me'. I stepped through my user model (which extends \yii\web\User). I resolved by extending login function:

public function login(yii\web\IdentityInterface$identity, $duration = 3600) {
        return parent::login($identity, $duration);
    }

Simply set $duration to any value > 0 and post now works.

This is probably not the correct solution but it resolves my issue.

[cleippi]

I'm also seeing a higher than normal amount of "yii\web\BadRequestHttpException: Unable to verify your data submission" errors today after upgrading to 2.0.14.1. Is there anything I can provide that might help you dig into this?

If it helps, I'm using the advanced template, each app with their own CSFR token.

'components' => [
        'request' => [
            'csrfParam' => '_publisher_csrf',
            'baseUrl' => '/publisher',
        ],

[twisted1919]

I subscribe to this, upgrading to latest version simply had me disable csrf token validation because of the high number of errors(Unable to verify your data submission) i get when submitting the forms.
There is def. something wrong.

[samdark]

The problem is well described in #15783 (comment)

[samdark]

Verified that not regenerating token when prolonging via "remember me" cookie is OK security-wise.

[iurijacob]

I'm having this problem in a form which has a field decorated with a Select2 widget that performs an ajax to search and retrieve the select options through a webservice in the same app. It seems that the ajax response updates the CSRF cookie, but not the CSRF param of meta tag neither the CSRF hidden input. So that when I submit the form through a normal POST the CSRF validation fails because the CSRF state has changed since the page was rendered.

I tried to manually update the CSRF using Yii client API (yii.setCsrfToken()), but it didn't work.

Do you know any workaround to such case?

[xutl]

Take a look at this article https://segmentfault.com/q/1010000004450797

[samdark]

@xutl I can't reach it.

[feiyangzhang]

\yii\web\User\login regenerateCsrfToken(). Since 2.0.14.2

[php-wizard]

@feiyangzhang I'm having this issue on 2.0.16.
So i better always call regenerateCsrfToken() just before showing the login forms ?

[joeyblack835]

@samdark Users are reporting about such case.

1. Open login form (when logged out).
2. Open login form in another tab (suppose they were doing something in different tabs and then appeared to be logged out in both tabs).
3. Enter credentials in the first tab and submit the form -- logged in OK.
4. Do the same in the second tab -- Unable to verify your data submission error. Suppose they expect to be logged in successfully.
   Is this an official security behavior of the framework? What is a better workaround? Something more informative? Of course, except showing a 403 forbidden page?

[samdark]

Yes. That's official security behavior. It is CSRF token validation.

[samdark]

The thing is that token is generated in the form then it's used in another tab but the form still contains old one.

[joeyblack835]

@samdark Thank you. Just trying to customize the error message (by something like "Something went wrong. Please try closing and re-opening your browser window", etc.), because "Unable to verify your data submission" doesn't make any sense for the user. The only way I found is relying on the text (of course, if no translations are used), because the framework doesn't provide any specific error code or other states for this case.

[samdark]

@joeyblack835 normally user won't ever receive this message.

[joeyblack835]

@samdark But this is what normal users are reporting and the client asked to make user friendly messages. 😊 Anyway, thank you for clarifying.