search

rails / rails

Ruby on Rails
https://rubyonrails.org
MIT License
55.68k stars 21.57k forks source link

Can't verify CSRF token authenticity #21844

Closed xdougx closed 8 years ago

xdougx commented 8 years ago

Im getting

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken)

I have this form

<form action="/backoffice/authenticate" accept-charset="UTF-8" method="post"><input name="utf8" type="hidden" value="✓"><input type="hidden" name="authenticity_token" value="0TlQiAzjEbaQ5DbVZD/P6YiUaD5XOAIGm8eHJI7XRcUeJn+cSsUnZi5iylC8ADH4DSgFI3kT1e4IxCwKHqxOrw==">
      <input type="hidden" name="authenticity_token" id="authenticity_token" value="qXz3tjhb7nlYOzqTLVwoJzhXy2gqoFWQgi5YVGP+1yhmY9iifn3Yqea9xhb1Y9Y2veumdQSLgngRLfN684XcQg==">
      <div class="form-group has-feedback">
        <input type="email" class="form-control" placeholder="Email" name="user[email]">
      </div>

      <div class="form-group has-feedback">
        <input type="password" class="form-control" placeholder="Password" name="user[password]">
      </div>

      <div class="row">
        <div class="col-xs-8">
          <div class="checkbox icheck">
            <label>
              <input type="checkbox"> Manter conectado?
            </label>
          </div>
        </div><!-- /.col -->
        <div class="col-xs-4">
          <button type="submit" class="btn btn-primary btn-block btn-flat">Logar</button>
        </div><!-- /.col -->
      </div>
</form>

the debbug show it on params

{"utf8"=>"✓",
 "authenticity_token"=>"qXz3tjhb7nlYOzqTLVwoJzhXy2gqoFWQgi5YVGP+1yhmY9iifn3Yqea9xhb1Y9Y2veumdQSLgngRLfN684XcQg==",
 "user"=>{"email"=>"douglas@kanamobi.com.br",
 "password"=>"[FILTERED]"}}

and it in Toggle session dump

_csrf_token: "36sRZGKxjah34dcM+XjsgnT8J3c2FFjwoyjm7McgKp4="

Im stuck on it, have no idea whats going on, some one can help?

rafaelfranca commented 8 years ago

Please use the mailing list or StackOverflow for questions/help, where a wider community will be able to help you. We reserve the issues tracker for issues only.

xdougx commented 8 years ago

After dive in into rails code i've found something strange @rafaelfranca using authenticity_token and csrf_meta_tags i started to see what is this validation, and i've founded this:

S4ZPE9yTx2fETg+2iWGU/txzfVT6HWU6auq5g4U9HDdhExU/ZjOmSx6MxVYdLwcbpoJLPkrvqyqn1KrHoHw8hw==
K?Oܓ?g?N??a???s}T?e:j깃?=7a?f3?K??V/?K>J?*?ԪǠ|<?
64
32

my authenticity_token has 64 length and the AUTHENTICITY_TOKEN_LENGTH is 32 what i need to do to solve it, im on rails 4.2.4

rafaelfranca commented 8 years ago

It is expected. What I could see is that your from has two authenticity_token maybe that is the reason for the failure.

rafaelfranca commented 8 years ago

It is expected because we mask the token in HTML so we avoid BREACH attack, but the real toke size is 32 characters. Rails is also backward compatible so not masked tokens are also accepted.

xdougx commented 8 years ago

I already removed the second one, before send this message, i was testing to use the manual tag, thats why that html has 2 tokens. Back to the code the first check on the method valid_authenticity_token is the size, but there are any way to change this token? Or see why this token was created with 64 length?

rafaelfranca commented 8 years ago

See https://github.com/rails/rails/pull/16570

xdougx commented 8 years ago

No, wait, the session is just a {}, it never will pass on the validation