#5889 - CSRF tokens broken
-
By Adam Edington
- Added
- 5 views
| Identifier | #5889 |
|---|---|
| Issue type | Major issue (breaks an entire feature) |
| Title | CSRF tokens broken |
| Status | Completed |
| Handling member | PDStig |
| Version | 10.0.49 |
| Addon | core |
| Description | "A POST request was made with a non-recognised security token; this has been blocked as it represents a security threat."
This may be due to using backdoor IP, but mentioning in case it's not. |
| Steps to reproduce | |
| Funded? | No |
| Commits | Fixed MANTIS-5889 (CSRF tokens broken) (3f778ebf) · Commits · Composr ecosystem / Composr · GitLab |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
The recent release of 10.0.49 broke CSRF tokens for AJAX requests (such as rating content and changing your password).
This is because Composr was using your Session ID cookie as the CSRF token, retrieved via JavaScript. This can no longer be done due to the new strict security (HttpOnly) on session cookies.
This patch adds a new hidden input field on every page containing the CSRF token, which can be retrieved via JavaScript, unlike a session cookie.
This patch also deprecates the JavaScript function get_session_id() (it now throws a console error). This can no longer be used due to the new cookie security settings. And there are no secure workarounds for this. As a consequence, keep_stub() will NOT include your session via keep_session anymore unless it already exists in the URL.
After applying this patch, you will need to edit all your themes GLOBAL_HTML_WRAP and GLOBAL_HTML_WRAP_* files and add the following to the bottom just before </body>:
<input type="hidden" id="g-post-tkn" value="{$CSRF_TOKEN}">
Then clear your template and block caches.
If you don't, then you will still get token errors.