ghost
commented
5 years ago What are the values of your config/config.php about expire the cookie and session? Did you change the crsf_token_time to something else?
Open anibalardid opened 5 years ago
ghost
commented
5 years ago What are the values of your config/config.php about expire the cookie and session? Did you change the crsf_token_time to something else?
anibalardid
commented
5 years ago Hi ! Thanks for your reply. I didn't change these values. These are as default in the code
anibalardid
commented
5 years ago I debug the code, adding new logger in the same method that check csrf, I add debug_backtrace() to see where are passing the code ... I don't see Session in this trace. I think, maybe, the code sometimes doesn't initialize session ...
I attached it here: https://pastebin.com/urEdxb6y
Achterstraat
commented
5 years ago Hi,
You can modify line 59 from core/Sessions.php from..
if(!self::validateIPAddress($ip) || !self::validateUserAgent($userAgent)) {
..to..
if(!self::validateIPAddress($ip)) {
..and test then again, if no invalid sessions your useragent returns unstable reliable results!
Or..
if(!self::validateIPAddress($ip) || !self::validateUserAgent($userAgent)) {
..to..
if(!self::validateUserAgent($userAgent)) {
..and test then again, if no invalid sessions your IPv4/IPv6 are switching random!
anibalardid
commented
5 years ago when I only let validateipaddress:
05/01/2019 9:51:59 | /shared/httpd/lightframeworks/htdocs/miniPHP/app/core/components/SecurityComponent.php | 238 | CSRF Attack User: 1 provided invalid CSRF Token 35722d62fcb28368ffe2571677f84f18
05/01/2019 9:51:59 | /shared/httpd/lightframeworks/htdocs/miniPHP/app/core/components/SecurityComponent.php | 136 | Exception The request has been deined
If I let validateuseragent... same error (400)
05/01/2019 9:53:04 | /shared/httpd/lightframeworks/htdocs/miniPHP/app/core/components/SecurityComponent.php | 238 | CSRF Attack User: 1 provided invalid CSRF Token d12d121d050f01a0949e428884027eae
05/01/2019 9:53:04 | /shared/httpd/lightframeworks/htdocs/miniPHP/app/core/components/SecurityComponent.php | 136 | Exception The request has been deined
goldwizard13
commented
2 years ago when I only let validateipaddress:
05/01/2019 9:51:59 | /shared/httpd/lightframeworks/htdocs/miniPHP/app/core/components/SecurityComponent.php | 238 | CSRF Attack User: 1 provided invalid CSRF Token 35722d62fcb28368ffe2571677f84f18
05/01/2019 9:51:59 | /shared/httpd/lightframeworks/htdocs/miniPHP/app/core/components/SecurityComponent.php | 136 | Exception The request has been deined
If I let validateuseragent... same error (400)
05/01/2019 9:53:04 | /shared/httpd/lightframeworks/htdocs/miniPHP/app/core/components/SecurityComponent.php | 238 | CSRF Attack User: 1 provided invalid CSRF Token d12d121d050f01a0949e428884027eae
05/01/2019 9:53:04 | /shared/httpd/lightframeworks/htdocs/miniPHP/app/core/components/SecurityComponent.php | 136 | Exception The request has been deined
hi i have the same problem, how did you solve it?
anibalardid
commented
2 years ago hi i have the same problem, how did you solve it?
I finally removed it, and I created some other checks created by my own.
I modified a lot this framework to do what i need to do :)
Hi Omar, how are you ? I'm trying your framework , I like it very much. But I have problems with csrf ... at beggining it works, but after some minutes it doesnt work anymore. When I create post it said error 400 and in logs appear "invalid CSRF token", I added Session::getCsrfToken() to the same debug line, and it appears empty.
What could be happening ?
Best regards !