Bad Request (#400) - Unable to verify your data submission

[mbman]

Updated my advanced app to latest Yii using Composer some 12 hours ago (previous update was maybe a day earlier), and since then all forms stopped working.
It seems Yii can't validate the csrf cookie it generates.

Yii 2.0.0-dev
PHP 5.4.4-14+deb7u11

Log: http://pastebin.com/i9Ta8W5y
Request: http://pastebin.com/5wpALxCy
Headers: http://pastebin.com/KMKbvr3V

[dynasource]

I remember this error too after an composer update. It also went away as fast as it came. Could it be a cookie or browser cache reset

[cebe]

Have you done this?

https://github.com/yiisoft/yii2/blob/master/framework/UPGRADE.md
Please update your main layout file by adding this line in the section: . This change is needed because yii\web\View no longer automatically generates CSRF meta tags due to issue #3358.

[mbman]

Yes, I had to do it on a previous update and it worked until now. I've even cloned a fresh copy of the latest advanced app and the same thing happens.

[cebe]

looks like you have to clear your cookies from the browser. your data looks like the cookie CSRF tag has been generated by an old version of Secuitry class.

[mbman]

Deleted the cookies, tried incognito window, other browser. Still the same.

[cebe]

okay, this is weird. Have you tried with the basic app contact form? Or which form did you use to reproduce it?

[mbman]

Frontend signup, login, backend login and contact - neither works.

[mbman]

Shouldn't it fail automated testing for issues like this?

[mbman]

It seems $this->getCookies()->getValue($this->csrfParam) in request is returning null, as if the cookies aren't passing yii's validation. They are present in raw $_COOKIE.

[cebe]

I am unable to reproduce it with neither basic nor advanced application here...

[samdark]

http://www.yiiframework.com/forum/index.php/topic/56405-yii-2-cookies-get-not-working/ seems to be similar issue.

[qiangxue]

@mbman Will you be able to set a breakpoint in Security::validateData() and see why the validation fails? Or could you please paste your cookie value and the cookie validation key?

[samdark]

The issue seems to be storing binary data in cookie as @qiangxue noted.

In order to fix it we need to convert binary hash to string and then convert it back when reading. I think base64_encode and base64_decode should be OK for it.

[mbman]

Here you go:
'cookieValidationKey' => 'hl-1nd93H281efs',

I'll set the breakpoint and send the cookie data ASAP

[samdark]

A good place to check with debugger is https://github.com/yiisoft/yii2/blob/master/framework/web/Request.php#L1195

[mbman]

$_COOKIE value at the breakpoint @samdark suggested:

array (size=3)
  '_identity' => string 'a856387a22edee80aed59ef85fef670ba09878469941e9bb0c0f5f26f5ec1480s:46:"[1,"Ts3tQePZVtoNzS_EdKEV9Ofxn7RpQF6L",2592000]";' (length=118)
  'PHPSESSID' => string 'eu82n5eds0pr95dpok77v7p200' (length=26)
  '_csrf' => string '‚08ćĘŮ­PüśĹO�ŃŐâT�á�…†Bś�eµâ�?    Fs:32:"UwXqTJ63PJlpJEk13QuvQ8ye-WM2LwCe";' (length=72)

[samdark]

Yup. _csrf seems to be binary.

https://github.com/yiisoft/yii2/blob/master/framework/web/Request.php#L1306 is generating raw token but we're trying to decode it at https://github.com/yiisoft/yii2/blob/master/framework/web/Request.php#L1341

[qiangxue]

what's your cookievalidationkey?

[metalagman]

key is sfjBvtU7vXsWLsiGfkHY75mIYsqLwATl

[qiangxue]

Your cookie is valid. Is your problem the same as @mbman's?

[metalagman]

pretty sure it is
I suppose that problem is not with code, problem is os-specific
I'm getting error on FPM PHP 5.4.4-14+deb7u12 (cli) (built: Jun 30 2014 18:42:58)
and dont on PHP Version 5.4.26 on windows

[metalagman]

some debugging info:

 $_POST = [
    '_csrf' => 'MnhwRE13c0lKECIKD09HMGozBwx1Axh6Yyk7EQgTQD9TEyAjOx9GcQ=='
    'Account' => [
        'name' => '...'
        'password' => '...'
        'rememberMe' => '1'
    ]
]

$_COOKIE = [
    '_csrf' => '4558ce18737862b0acc221aef149bd36b66d17c6bc1fd7b23b93d458d7126f34s:32:\"xhRNB84yXKwH8tk3QQKUEd3vakPgvh58\";'
]

$_SERVER = [
    ...
    'HTTP_COOKIE' => '_csrf=4558ce18737862b0acc221aef149bd36b66d17c6bc1fd7b23b93d458d7126f34s%3A32%3A%22xhRNB84yXKwH8tk3QQKUEd3vakPgvh58%22%3B'
    ...
]

[mbman]

Updated the code to latest version, cleared cookies and the problem is still there.
Csrf values:

$_POST: NUMyTEo2ODRmDmcVA05CW010BC47QFV5YhBVE3ldSgdbOgIeLwFJeA==
$_COOKIE: 1fc0738c337cd4eddab5c35a9280dfacc7f73aea1fbf11d3f5453ccf61c2e5e4s:32:\"SMUYIxzox76bqvmMWSg_3kr3ny0Re7qL\";

[mbman]

Vagrant server used:

• Linux vagrat 3.2.0-4-amd64 SMP Debian 3.2.57-3 x86_64 GNU/Linux (Debian Wheezy)
• PHP 5.4.4-14+deb7u11 (cli) (built: Jun 13 2014 13:53:15)
• Chef cookbooks used: https://github.com/mbman/lampapp-vagrant/tree/master/cookbooks

[zlakomanoff]

mb_substr with null length parameter return empty string
security.php in validateData function
$pureData always is empty string

http://php.net//manual/en/function.mb-substr.php (first comment)

[samdark]

@onepeopleprojects why length is 0?

[samdark]

Just merged another fix. Is it better now?

[zlakomanoff]

Excellent speed )) yes, it work ))

[prawee]

great! it work.

[dynasource]

this patch also fixes a Codeception issue:

• when json_encoding the cookie
• when using the debug option

[samdark]

@dynasource are the issues mentioned in our or codeception trackers? If so, would you please give links so I'll close these?

[dynasource]

none. It was an observation yesterday. I knew about this topic, so a composer update was worth a try (and it was). I just wanted to mention it for people searching.

[queejie]

I am suddenly getting the "Unable to verify your data submission" on a $.ajax() call that was working fine. I haven't changed the config or the $.ajax() call. I just ran a "composer update", and I cleared the cookies in my browser. If I set enableCsrfValidation to FALSE it works fine. I'm just getting my feet wet with Yii2 and composer. Thanks in advance for any suggestions on how to diagnose this.

[kartik-v]

I am getting the same error on a fresh update... need to check.

UPDATE: Confirm that the error occurs on the new update for ajax/post submissions. If I revert back my yiisoft/yii2 to older version it works.

[MEGApixel23]

Have same problem. Reinstall project but ajax-requests still returns 400 error

[mbman]

@MEGApixel23 do you send the _csrf token in the ajax request?

[MEGApixel23]

@mbman no, but it works on previous Yii2 version. I tried to send _csrf token and it works. So what I must rewrite all my ajax requests in whole project? May be there is another solution?

[metalagman]

@MEGApixel23 just disable csrf validation in your ajax controller

[samgiety]

Still happens on version 2.0.2. The cookie is not created on first request. I have a workaround: Extend View::endPage():

class View extends \yii\web\View {

    public function endPage($ajaxMode = false)
    {
        \Yii::$app->getResponse()->sendCookies();
        parent::endPage($ajaxMode);
    }
}

[cebe]

@gorellnet please open a new issue if there is a problem, this one is already closed for 2.0rc