You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Before the form is submitted create a POST/GET javascript call to a controller that implements an auth method that invokes $user->loginByAccessToken() (this controller also intentionally sets enableCsrfValidation = false and disables the session)
Submit the form
What is the expected result?
The form should successfully submit and CSRF validation should pass
What do you get instead?
CSRF validation fails
Additional info
Q
A
Yii version
2.0.14.1+
PHP version
7.1.1 (NA)
OSX
High Sierra (NA)
The problem I think is caused by line 261 of \yii\web\User that calls$this->regenerateCsrfToken();
The javascript API call invokes $user->loginByAccessToken which triggers the regeneration of the CSRF token and invalidates the one on the form that has yet to be submitted.
I believe the solution would be to add a conditional statement to check if csrf validation is enabled for the current action.
if (Yii::$app->getRequest()->enableCsrfValidation)
$this->regenerateCsrfToken();
or
if (Yii::$app->controller->enableCsrfValidation)
$this->regenerateCsrfToken();
The text was updated successfully, but these errors were encountered:
Regeneration of CSRF token was introduced by #15496. Maybe it's a wise idea to let the developers to opt out from the enforced token regeneration with some kind of a switch. Should it be a public var on yii\web\User class?
Also I have to say, that I don't see any benefits of having this kind of enforced token renewal.
Found it. CVE-2018-6009: In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.
What steps will reproduce the problem?
$user->loginByAccessToken()
(this controller also intentionally setsenableCsrfValidation = false
and disables the session)What is the expected result?
The form should successfully submit and CSRF validation should pass
What do you get instead?
CSRF validation fails
Additional info
The problem I think is caused by line 261 of \yii\web\User that calls
$this->regenerateCsrfToken();
The javascript API call invokes
$user->loginByAccessToken
which triggers the regeneration of the CSRF token and invalidates the one on the form that has yet to be submitted.I believe the solution would be to add a conditional statement to check if csrf validation is enabled for the current action.
or
The text was updated successfully, but these errors were encountered: