-
-
Notifications
You must be signed in to change notification settings - Fork 6.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to verify your data submission since updated to 2.0.14 #15783
Comments
Did you follow this? http://www.yiiframework.com/doc-2.0/guide-security-best-practices.html#avoiding-csrf |
@frontbear the link is about disabling csrf, which I followed to disable csrf and am able to submit the form. However I don't want to do that for security reason. If downgrade back to 2.0.13 forms can be submitted. It's when updated to 2.0.14+ it forms can't be submitted and gets 'Unable to verify your data submission' error. |
its similiar to bug that i encounter, maybe related? |
@rosancoderian I had a look at your issue and it seems to related to performance. I've been upgrading Yii fairly regularly and haven't noticed any performance issues. My only issue with the latest release is unable to submit forms. |
Failed to reproduce. Please, supply more info, including |
Thanks for posting in our issue tracker.
Thanks! This is an automated comment, triggered by adding the label |
@SilverFire, thanks for looking into this. I'd say this is not easily reproduced as it works in 2.0.13 but not 2.0.14+. Here are info as per request. Please let me know if you need any more info. In frontend/config/main.php:
As mentioned in original ticket it happens to all actions handling post data. Here's one that saves a record:
|
Could you try to reproduce it on basic app template? |
I have the same issue since I have upgraded to 2.0.14.1 from 2.0.13. It happens rarely but for loaded project it is significant amount of bad requests apeared |
Could you check if this is related to output created by Possibly related: #15782 |
I can't reproduce it on my local developer machine. It is happened rarely on production. I'll keep trying to find |
The problem with "remember me". Commit with breaking changes is 6c0540a Steps to reproduce:
Problem because of regenerating csrf token while restoring session from "remember me" token. |
@sartor yes, that seems valid but I'm not sure how to solve that since not regenerating causes possible security issues. |
May be it is possible to not regenerate session if it is recovered from "remember me" token? Is it a security breach? |
Possibly not. Need to review it in detail. |
My issue isn't related to just AJAX. It's any post - AJAX, form or even via links. Thanks @sartor who mentioned 'remember me'. I stepped through my user model (which extends \yii\web\User). I resolved by extending login function:
Simply set $duration to any value > 0 and post now works. This is probably not the correct solution but it resolves my issue. |
I'm also seeing a higher than normal amount of "yii\web\BadRequestHttpException: Unable to verify your data submission" errors today after upgrading to 2.0.14.1. Is there anything I can provide that might help you dig into this? If it helps, I'm using the advanced template, each app with their own CSFR token.
|
I subscribe to this, upgrading to latest version simply had me disable csrf token validation because of the high number of errors(Unable to verify your data submission) i get when submitting the forms. |
The problem is well described in #15783 (comment) |
Verified that not regenerating token when prolonging via "remember me" cookie is OK security-wise. |
I'm having this problem in a form which has a field decorated with a Select2 widget that performs an ajax to search and retrieve the select options through a webservice in the same app. It seems that the ajax response updates the CSRF cookie, but not the CSRF param of meta tag neither the CSRF hidden input. So that when I submit the form through a normal POST the CSRF validation fails because the CSRF state has changed since the page was rendered. I tried to manually update the CSRF using Yii client API (yii.setCsrfToken()), but it didn't work. Do you know any workaround to such case? |
Take a look at this article https://segmentfault.com/q/1010000004450797 |
@xutl I can't reach it. |
\yii\web\User\login regenerateCsrfToken(). Since 2.0.14.2 |
@feiyangzhang I'm having this issue on 2.0.16. |
@samdark Users are reporting about such case.
|
Yes. That's official security behavior. It is CSRF token validation. |
The thing is that token is generated in the form then it's used in another tab but the form still contains old one. |
@samdark Thank you. Just trying to customize the error message (by something like "Something went wrong. Please try closing and re-opening your browser window", etc.), because "Unable to verify your data submission" doesn't make any sense for the user. The only way I found is relying on the text (of course, if no translations are used), because the framework doesn't provide any specific error code or other states for this case. |
@joeyblack835 normally user won't ever receive this message. |
@samdark But this is what normal users are reporting and the client asked to make user friendly messages. 😊 Anyway, thank you for clarifying. |
What steps will reproduce the problem?
Submit a form.
What is the expected result?
Form is submitted - data is saved or whatever the the form is supposed to do.
What do you get instead?
yii\web\BadRequestHttpException: Unable to verify your data submission. in /var/www/my.uhub.biz/vendor/yiisoft/yii2/web/Controller.php:166
Additional info
I haven't been able to submit any forms since updated to 2.0.14. Have updated to 2.0.14.1 and still same error. Have tried to clear all browser cookies, restart services and server, but still cannot submit forms. Form can be submitted if csrf is disabled but this is not an option.
Fall back to V2.0.13.1 and it works as intended.
The text was updated successfully, but these errors were encountered: