#5889 - CSRF tokens broken – Composr CMS: Your Data, Your Privacy, Your Control

This is a spacer post for a website comment topic. The content this topic relates to: #5889 - CSRF tokens broken

By Guest posted 14th Aug 2024, 11:13 AM

It has nothing to do with the backdoor. I'll investigate.

By Guest posted 14th Aug 2024, 2:16 PM

Automated response: CSRF tokens broken

The recent release of 10.0.49 broke CSRF tokens for AJAX requests (such as rating content and changing your password).

This is because Composr was using your Session ID cookie as the CSRF token, retrieved via JavaScript. This can no longer be done due to the new strict security (HttpOnly) on session cookies.

This patch adds a new hidden input field on every page containing the CSRF token, which can be retrieved via JavaScript, unlike a session cookie.

This patch also deprecates the JavaScript function get_session_id() (it now throws a console error). This can no longer be used due to the new cookie security settings. And there are no secure workarounds for this. As a consequence, keep_stub() will NOT include your session via keep_session anymore unless it already exists in the URL.

By Guest posted 14th Aug 2024, 2:44 PM

NOTE:

After applying this patch, you will need to edit all your themes GLOBAL_HTML_WRAP and GLOBAL_HTML_WRAP_* files and add the following to the bottom just before </body>:

<input type="hidden" id="g-post-tkn" value="{$CSRF_TOKEN}">

Then clear your template and block caches.

If you don't, then you will still get token errors.

By Guest posted 17th Aug 2024, 9:03 PM

REVERTED in 10.0.50