Loading...
 
Skip to main content

CSRF False positives

Status
Open
Subject
CSRF False positives
Version
20.x
Category
  • Error
  • Regression
  • Usability
  • Community projects
  • Dogfood on a *.tiki.org site
Feature
User Administration (Registration, Login & Banning)
Resolution status
New
Submitted by
Xavier de Pedro
Keep informed
lindon
Lastmod by
Xavier de Pedro
Rating
(0)
Related-to
Description

A CSRF never ending loop happened to me earlier today, on dev.t.o.
I had logged in chromium-browser to dev.t.o as user "xavi" (no admin perms).

I needed to log in with my other user "xavidp" (the one with admin perms), so that I opened a private browsing window of chromium-browser. I went to visit the same page I had visited with the standard user where I had to fix some perms of that wiki page ( https://dev.tiki.org/Wish%20Report%20Tpl ). Clicked at "login" link at the top bar, which sent me to https://dev.tiki.org/login , provided the credentials, and then I got the message about CSRF at the url https://dev.tiki.org/tiki-login.php :

Error
Potential cross-site request forgery (CSRF) detected. Operation blocked. Reloading the page may help.


Every time I tried (F5, visiting somewhere else within dev.t.o) and attempting to log in, I got the same CSRF error message reproduced, and I couldn't log in as user "xavidp".

I had to open a new browser (Firefox, in this case), and login as "xavidp" was successful.

I wonder what was happening.

I tried again, at the time of reporting this issue, and I got the issue reproduced again.

FYI: I had seen other weird CSRF false positives in other contexts in a 20.x tiki I use at work (behind a firewall). I 'll keep an eye open to add more details when I hit this bug again in other use cases. But there is something wrong still in the code in 20.x.

Importance
9
Easy to solve?
4
Priority
36
Demonstrate Bug on Tiki 19+
Demonstrate Bug (older Tiki versions)
Ticket ID
7133
Created
Sunday 21 July, 2019 17:13:12 UTC
by Xavier de Pedro
LastModif
Sunday 10 October, 2021 11:36:36 UTC


Show PHP error messages