Keep getting "CSRF detected!"

[todoesverso]

Hi, I wanted to give Get-Simple a try, but I keep getting the "CSRF detected!" message when I try to do edit, or create anything.

Debug mode does not help.

I took a quick look to the code and well

Code:

function check_nonce($nonce, $action, $file = ""){
                return ( $nonce === get_nonce($action, $file) || $nonce === get_nonce($action, $file, true) );
        }

This allways fail, those condition just never succeed

I'm trying to use this in sourceforge (if this help at all).

[Connie]

hi, welcome!

Pity that you start with a bad situation

1) Did you upload everything in the correct manner? Maybe delete everything and re-upload, that helped me out once

2) did you edit some of the core files or maybe edited the gsconfig.php and entered some wrong code there?

3) did you add some plugins already?

I noticed this CSRF once, and it was due to a faulty plugin ... (which I had edited myself ... )

[todoesverso]

Connie wrote:hi, welcome!

Pity that you start with a bad situation

1) Did you upload everything in the correct manner? Maybe delete everything and re-upload, that helped me out once

2) did you edit some of the core files or maybe edited the gsconfig.php and entered some wrong code there?

3) did you add some plugins already?

I noticed this CSRF once, and it was due to a faulty plugin ... (which I had edited myself ... )

I tried with v3.0 and the svn trunk, both the same resutls

I only uncommented some things in the gsconfig.php.

No plugins added.

[mikeh]

What did you uncomment in gsconfig?

[todoesverso]

mikeh wrote:What did you uncomment in gsconfig?

Just this

Code:

# Turn on debug mode
define('GSDEBUG', TRUE);

Why is there anything in gsconfig that could be causing this problem?
As far as I can tell the "nonce" thing is not wroking for me, all hashes are different.

[nitsuj]

I was just searching for the same error msg. I also simply downloaded the newest version, haven't changed anything.
After the first Login and changing my password. I then set the Website name and clicked the Use Fancy URLs. The error comes after pressing Save Settings.

Is this also what's causing your error?

[snooze]

I edited a page. I took out a Break tag, saved it and then, Boom! CSRF Detected

Now putting the Break tag back doesn't satisfy whatever is throwing the error.

[Connie]

snooze wrote:I edited a page. I took out a Break tag, saved it and then, Boom! CSRF Detected

Now putting the Break tag back doesn't satisfy whatever is throwing the error.

without an URL and more info we cannot check what happens ...

[nitsuj]

Just a quick update from my side. I tried the cms on another server and everything worked fine.
My problem was somehow related to my test server.

It's a shame that even with debug mode active the only error msg I got was "CSRF detected!"

[Connie]

nitsuj wrote:It's a shame that even with debug mode active the only error msg I got was "CSRF detected!"

Let me say first, I also do not know what it means, but:

I do not accept that "this is a shame", don't blame GS for that.

This error is not GS specific. If you do a google search, you will find a lot of systems which produce this error or where this error happens. So you could have found some explanations for that maybe I am not sure ...

I learned that this might happen when you do not save edited text in a given time, for example playing with a cat for 30 minutes and then saving the test

mostly it is related to submitting data with some ajax techniques involved, it might also be related to the cookie behaviour of the browser etc.

So, do not call it a shame! Shame is a moral category, and this here is technique! ;=)

[nitsuj]

I didn't know that it was a PHP error. I'd just searched these forums.

As I said I think it has something to do with my test server, I uploaded it to another server and everything worked fine.

[Connie]

nitsuj wrote:I didn't know that it was a PHP error. I'd just searched these forums.

As I said I think it has something to do with my test server, I uploaded it to another server and everything worked fine.

nitsuj, I just did a text search in the program files and I see that this message is in the script, always in connection with cookies

so the script uses some "tech speach"

so, as a consequence I would suggest whenever this message occurs to check the cookie-settings of the browser

Cheers, COnnie

[snooze]

Try this on for size. Previously, the site I was working on was giving me the error CSRF Detected immediately after I removed a break tag. After removing the site, all of GS 3 and beginning the site again, I once again am getting the same error. The last thing I did was remove some break tags from between some short paragraphs in order to make them list items. Hmmm.

SNZ

::Hears the haunting strains of the Twilight Zone theme::

[snooze]

Just realized: Debug won't work because the error is in the admin. Most the threads - if not all - deal with the error occurring when trying to save in the editor. The actual site is not affected since the update save was halted.

[Connie]

I ran into this error message when I was logged in the backend, changed my password in the settings, did not log out and log in, but tried to write a page

when I logged out, cleared the cache, logged in again, I could write a page and did not get that error anymore

I think this situation is very common to many users ...

[Aron]

Have the same issue, but after I CHMOD'd gsconfig.php to 755, the issue hasn't popped up again. I'd like to see some testing on this so we can figure out, definitively, why it happens. My customer got this after every (attempt) to save; I got it after reinstalling and changing the admin password from within the control panel.

[ccagle8]

I am very interested in finding out what might be causing this as well. In 3.1 I just updated the code to turn "off" CSRF protection via gsconfig.php, but I would prefer to fix the issue than have people turning it off.

Unfortunately I can't troubleshoot the problem because i am not getting the error message with csrf.

[snooze]

Info update

In my issue reported in item #13 and 14 above, I had to be away shortly after the error showed up. When Ii returned ~2 hours later, all was fine as if nothing untoward had happened. Would this be evidence for a server environment cause?

For Aron: My gsconfig.php is 755 by default.

Chris: My remote host is logging the following persistent error in the site root - over and over several times an hour. Possibly related?

Quote:[27-Apr-2011 10:07:00] PHP Warning: PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20060613/php_curl.dll' - /usr/local/lib/php/extensions/no-debug-non-zts-20060613/php_curl.dll: cannot open shared object file: No such file or directory in Unknown on line 0

[ccagle8]

i dont think it's related since the CSRF protection doesnt use Curl. Take a look here: http://forums.theplanet.com/index.php?showtopic=90796

[snooze]

ccagle8 wrote:i dont think it's related since the CSRF protection doesnt use Curl. Take a look here: http://forums.theplanet.com/index.php?showtopic=90796

Well, the DLL was active in the php.ini. I commented it but the error log still is reporting the error. I'll check with the hosting company.

[Aron]

Is there any way to disable CSRF protection without needing the 3.1 update? And what does CSRF protection do exactly?

[ccagle8]

no, it was quite a bit of coding to be able to turn it off. You might be able to mess with the function within /admin/inc/nonce.php though to make it always return a "true"

Look up CSRF in Google... it can better explain it than i can... Sorry for any inconvenience here.

[SamWM]

I'm also getting 'CSRF Detected' whenever I edit a page as well, even if I clear everything in the rich text box. Only solution for me seems to be to edit the code so it always returns true. Running Windows Server 2008.

What's strange is that it worked a few months ago...

[ccagle8]

samWM - are you willing to give the newest SVN code a try to see if my "turning off of CSRF" via the gsconfig file works?

[SamWM]

Turning off CSRF via gsconfig.php does work when using SVN version.

Also found what is probably the cause of the error... my IP address can occasionally change (depending on which internet gateway I am going through). Since the IP address is used to generate the nonce, then the CSRF error occurs if it ever changes.

Perhaps other people who have this issue belong to a large network where they go through various proxies and gateways to connect to the internet and it changes since you connect through the one with the most capacity available. It would also explain why you can't replicate the problem.

Since it is for preventing cross site scripting attacks, maybe the nonce could use something unique on the server? A server variable like

Code:

$_SERVER["SCRIPT_FILENAME"]

which will be unique for each website and can't be retrieved without having direct access to the server