osTicket 1.7.1.1 - New Install - Valid CSRF Token Required

[juiceman84]

Hi osTicket Devs,

I recently downloaded and installed osTicket 1.7.1.1 on the following platform/environment:

OS: Ubuntu 12.04 PHP: PHP 5.3.10-1ubuntu3.8 with Suhosin-Patch (cli) My SQL:Server version: 5.5.32-0ubuntu0.12.04.1 (Ubuntu)

I followed the setup page and got the software installed successfully, however, after I try to log in to the http:///scp with the account I created, I get "Valid CSRF Token Required".

From the community forums, it seems that there are many other users who are experiencing the same issues. If it would help with troubleshooting, I can provide SSLVPN access to the server for direct access. I just wanted to raise this issue here because I did not see any other mentioning of it in the other issues reported.

Please let me know if you have any questions about the information included in this post.

Thanks!

[greezybacon]

I think this was fixed in #707

[greezybacon]

I just cut a new release (v1.7.1.2) that hopefully addressed this issue. Would you mind updating the codebase? You can just download the new release and upload it to your server. You shouldn't need to reinstall

[juiceman84]

Hi Greezy,

Thank you for your support on this problem. I just did a git clone and downloaded the latest version (I think) to my server. I used the following command:

git clone https://github.com/osTicket/osTicket-1.7.git

Once I copied these files over my existing web server folder, I reloaded my webserver (apache2) but it still gives me the "Valid CSRF Token Required" message. I can try creating another virtual webserver and testing but I would first like to get confirmation that I have the right files in place. Do you have any code that I should look for in a particular file so I can make sure I am referencing the latest code?

Lastly, if it would help further, I can create an SSLVPN account for you to access the server directly. This is a test machine for me so you can pretty much have free reign to do what you need to do.

Thanks for your help!

~Juice

[greezybacon]

@juiceman84 we discovered yet another flaw in the ROOT_PATH detection today, which is used for cookie settings, which affects the CSRF tokens. Would you mind doing a git pull and trying yet again.

Yes, I would be interested in the SSLVPN route, as we keep running into scenarios that a difficult to replicate in our test environments.

[juiceman84]

@greezybacon I just tried to do a new pull and recopied the files over to my directory but still no bueno. I am going to create another VM and start from scratch. Once I do the clone to this one, I will let you know the results. I'm want to find someway to send you some secure credentials so you can get to the VM and do some magic. Let me know of the best way for me to get that information to you.

Thanks!

~Juice

[greezybacon]

I can email you a public ssh key if that would be sufficient

[juiceman84]

@greezybacon that will work as far as getting access to the server once you are in the SSLVPN, however I will still need to get you those creds so you can log in and get on my dev network. It would be great if I could PM you to just get your email and then I could respond back with the creds, but I do not know if github let's you do that. Are you on the osTicket forums? I can probably send you a PM on there instead.

Let me know. btw, I'm still spinning up my dev vm for this now. I will let you know if the magic happens and this can be averted.

Thanks again!

~Juice

[greezybacon]

@juiceman84 you can mail me at jared -at- osticket.com

[P00PDOG]

Greezy, we are experiencing the exact same issue, but with a different environment. We have a virtual 2k8R2 with iis already being used on port 80 and 443. I have installed wamp and am using it on port 81. I have a Bomgar appliance and can get you in to the server very quickly, and you can test to your hearts content....Let me know if you still need to test and I will email you the intrructions on how to get in....

[juiceman84]

@greezybacon I just finished setting up the latest version of osTicket on my server from scratch and it worked like a champ. I was able to login to the scp and browse around. I will gladly provide you sslvpn if you just want a dev server to kick around in, but it seems like the latest fix you put in place did the trick!

Thank you for your tireless effort!

[sabas]

@greezybacon if your aim is at path handling, I did some bit of tests with this function https://github.com/sabas/magicpath (see also the different versions in commit history)

[CypherX]

It appears that if osTicket is being used on a port other than 80 the /scp/ login process fails with "Valid CSRF Token Required". This seems to be caused by the inability to set a cookie on a domain containing a port number.

I resolved this by editing class.ostsession.php and adding:

$index = strrpos($domain, ':');
if ($index !== false)
    $domain = substr($domain, 0, $index);

before:

session_set_cookie_params(86400, ROOT_PATH, $domain,
    osTicket::is_https());

After doing so our osTicket installation on port 81 is working perfectly.

[greezybacon]

Thank you! I would propose a cleaner fix:

list($domain) = explode(':', $domain)

[greezybacon]

I mocked this up in #719

[rohibun]

i get same issue, and has solved. please check wihc osticket version, if osticket version = 1.6 ST you should upgrade to osTicket-1.7-1.7-RC4, then from osTicket-1.7-1.7-RC4 upgrade to osTicket-v1.7.1. to check wich version of osticket you can do query ' select ostversion from ost_config;'

[AlexeyDemidov]

Same issue - trying to update 1.6 ST to latest version (git clone) and getting "Valid CSRF Token Required". I don't have 'ost_session' table and clearing all cookies doesn't help. But update to version tagged v1.7-RC4 as suggested by @rohibun worked successfully. BTW, I have my osTicket installed into subdirectory (/support) without port numbers or IPs in URL but over HTTPS. Upgrade from v1.7-RC4 to 'master' failed, but to v1.7.1 worked. Further update to v1.7.1.3 required clearing all cookies in browser.

[greezybacon]

The upgrade from 1.6 was fixed in #736 and release with 1.7.1.4. Could someone verify?

[support4net]

In my case it started to work after defining session.cookie_domain = in php.ini. I tried to upgrade and failed due to CSRF , then started a fresh test install and fixed by setting that php param.

[greezybacon]

Thanks for the update. What did you set it to? What's the domain of your help desk?

Am Nov 23, 2013 um 15:52 schrieb support4net notifications@github.com:

In my case it started to work after defining session.cookie_domain = in php.ini. I tried to upgrade and failed due to CSRF , then started a fresh test install and fixed by setting that php param.

\ Reply to this email directly or view it on GitHub.

[support4net]

I've upgraded several times from version 1.6 to 1.7-18 and obviously it failed. Then I decided to go on Opensuse 13.1 with a fresh install to check the CSRF message appear as well, and it did. Thus the problem was either a setup problem of php or a compatibility issue with php. Thus I spent a while testing and failing each parameter from php.ini related to session control and I've found after a while that setting the session.cookie_domain = was a good solution.

[greezybacon]

Yes, you made it clear that you changed the setting in php.ini. My question was: what is the value you changed it to so it worked? And what is the domain you use to access the help desk in question: like support.mycompany.com?

Am Nov 24, 2013 um 13:40 schrieb support4net notifications@github.com:

I've upgraded several times from version 1.6 to 1.7-18 and obviously it failed. Then I decided to go on Opensuse 13.1 with a fresh install to check the CSRF message appear as well, and it did. Thus the problem was either a setup problem of php or a compatibility issue with php. Thus I spent a while testing and failing each parameter from php.ini related to session control and I've found after a while that setting the session.cookie_domain = was a good solution.

\ Reply to this email directly or view it on GitHub.

[support4net]

Exactly, I've set the value to session.cookie_domain = support.mycompany.com

[greezybacon]

Really? You own mycompany.com?!

I guess I'm an idiot. This isn't making any sense to me

Am Nov 24, 2013 um 14:09 schrieb support4net notifications@github.com:

Exactly, I've set the value to session.cookie_domain = support.mycompany.com

\ Reply to this email directly or view it on GitHub.

[support4net]

Sorry dude. You are not an idiot but I was just pointing that that is a suggestive setup. I don't want to turn public the hostname for security reasons. If you want I'll setup a test server and provide you access to play around.