Entering password into session expiry dialog returns error

[lukeholder]

Steps to reproduce

1. Allow your session to expire when logged into the CP
2. See the password entry modal pop up
3. Enter the correct password into the modal and click submit
4. See a 400 http error and error message returned.

Additional info

• Craft version: latest
• PHP version: 7.1
• Database driver & version:
• Plugins & versions:

[brandonkelly]

@lukeholder Not able to reproduce this. Can you post the error message you received, and any custom user session-related config setting values you set, if any?

[lukeholder]

@brandonkelly I believe the error is due to a CSRF token not being valid on the modal submission, or the hash value not being valid.

Both @andris-sevcenko and @benjamindavid also report the same issue.

The setting defaults to true, but I also set it in my config anyway:

    // Enable CSRF Protection (recommended, will be enabled by default in Craft 3)
    'enableCsrfProtection' => true,

screencast of the error:

http://jmp.sh/iaM5EDy

log of the error:

017-09-05 13:01:06 [::1][-][60e1e973ffa0d22557551ce0a636dc63][trace][craft\web\Application::_processActionRequest] Route requested: 'users/login'
2017-09-05 13:01:06 [::1][-][60e1e973ffa0d22557551ce0a636dc63][trace][yii\base\Controller::runAction] Route to run: users/login
2017-09-05 13:01:06 [::1][-][60e1e973ffa0d22557551ce0a636dc63][error][yii\web\HttpException:400] yii\web\BadRequestHttpException: Unable to verify your data submission. in /Users/luke/Code/Projects/Craft3/craft3.craft.dev/vendor/yiisoft/yii2/web/Controller.php:166
Stack trace:
#0 /Users/luke/Code/Projects/Craft3/cms/src/web/Controller.php(58): yii\web\Controller->beforeAction(Object(yii\base\InlineAction))
#1 /Users/luke/Code/Projects/Craft3/craft3.craft.dev/vendor/yiisoft/yii2/base/Controller.php(154): craft\web\Controller->beforeAction(Object(yii\base\InlineAction))
#2 /Users/luke/Code/Projects/Craft3/craft3.craft.dev/vendor/yiisoft/yii2/base/Module.php(523): yii\base\Controller->runAction('login', Array)
#3 /Users/luke/Code/Projects/Craft3/cms/src/web/Application.php(241): yii\base\Module->runAction('users/login', Array)
#4 /Users/luke/Code/Projects/Craft3/cms/src/web/Application.php(385): craft\web\Application->runAction('users/login', Array)
#5 /Users/luke/Code/Projects/Craft3/cms/src/web/Application.php(201): craft\web\Application->_processActionRequest(Object(craft\web\Request))
#6 /Users/luke/Code/Projects/Craft3/craft3.craft.dev/vendor/yiisoft/yii2/base/Application.php(380): craft\web\Application->handleRequest(Object(craft\web\Request))
#7 /Users/luke/Code/Projects/Craft3/craft3.craft.dev/web/index.php(21): yii\base\Application->run()
#8 {main}
2017-09-05 13:01:06 [::1][-][60e1e973ffa0d22557551ce0a636dc63][info][application] $_GET = [
    'p' => 'admin/actions/users/login'
]

$_POST = [
    'loginName' => 'admin'
    'password' => '••••••••'
]

$_COOKIE = [
    'XDEBUG_SESSION' => 'PHPSTORM'
    '__stripe_mid' => 'c5c369c4-ff4f-43de-90b9-c56fdba506ea'
    'CraftSessionId' => '6be66c7a8d9d3489b0e0ac1fed8353a3'
    '1031b8c41dfff97a311a7ac99863bdc5_username' => 'e0b7a68d3599aca46005de143fa118c4ec907a69376dfcffcc7a4daacf27a33ca:2:{i:0;s:41:\"1031b8c41dfff97a311a7ac99863bdc5_username\";i:1;s:5:\"admin\";}'
    'CRAFT_CSRF_TOKEN' => '•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••'
]

$_SESSION = [
    'bd62416aa8538ede709019a5e113eea5__flash' => []
    'commerce_cookie' => '054625d41601895275c2bc8981143ff6'
    'bd62416aa8538ede709019a5e113eea5__auth_access' => [
        0 => 'saveAssetInVolume:1'
    ]
]

[brandonkelly]

Guess it would have helped if I enabled CSRF validation :)