search

erikdubbelboer / phpRedisAdmin

Simple web interface to manage Redis databases.
http://dubbelboer.com/phpRedisAdmin/
3.11k stars 666 forks source link

BAD CSRF TOKEN #172

Open v012345 opened 3 years ago

v012345 commented 3 years ago

when I delete a key, I will be redirected to a 404 page which path is "http://myDomian/bad%20csrf%20token".

asmc commented 3 years ago

when I delete a key, I will be redirected to a 404 page which path is "http://myDomian/bad%20csrf%20token".

me too

asmc commented 3 years ago

also, if you have change your phpRedisAdmin/ directory to other things, will be redirect to "bad csrf token",,,

asmc commented 3 years ago

and view frame can not show any contents, because of "header('X-Frame-Options: DENY');", I have to add "Header always set X-Frame-Options "sameorigin"" to .htaccess

erikdubbelboer commented 3 years ago

My bad. I have just released a fix for sameorigin. Please upgrade to 1.16.1 and try again.

I don't really use this project anymore, but there were a bunch of security issues reported that I tried to fix. I tested it locally and everything worked fine. But it seems like with other setups things break.

For the bad csrf token error. What version of PHP are you using and what does your session setup look like? The CSRF code uses PHP sessions. It does check session_status() !== PHP_SESSION_DISABLED, but I guess something else goes wrong?

v012345 commented 3 years ago

My bad. I have just released a fix for sameorigin. Please upgrade to 1.16.1 and try again.

I don't really use this project anymore, but there were a bunch of security issues reported that I tried to fix. I tested it locally and everything worked fine. But it seems like with other setups things break.

For the bad csrf token error. What version of PHP are you using and what does your session setup look like? The CSRF code uses PHP sessions. It does check session_status() !== PHP_SESSION_DISABLED, but I guess something else goes wrong?

I use PHP7.4. I have updated it to 1.16.1. But it doesn't work. So I execute chmod -R 777 phpRedisAdmin, MY GOD, it works. Later I changed the permission back to 755, it still works. So I guess the reason is PHP doesn't have the permission to create session files on my server. And I want to where PHP saves the sessions.

erikdubbelboer commented 3 years ago

That depends on how you have configured sessions on your server. See: https://www.php.net/manual/en/session.configuration.php#ini.session.save-path

KarelWintersky commented 2 years ago

@v012345 , Check session.cookie_path value at your php.ini.

It must contain / or be commented