Posts: 48
Threads: 3
Joined: Feb 2016
2016-02-23, 18:38:27
(This post was last modified: 2016-02-24, 04:57:19 by Charpy1.
Edit Reason: spelling
)
Hello, I experimented something that I want to share with you.
I was editing a page, and when I clicked on "Save the Page", something went wrong: I just have a blak page with this sentence :
CSRF detected!
It seems by doing a quick search that this means "Cross-site request forgery", a type of attack. I think that this occurs because I had many differents tabs opened, I'm not sure but I even may had several tab on editing this page... ^^'
Anyway, the page has'nt been saved, so I could have lost all my work...
By chance, I'm using a Firefox plugin (called Lazarus, but there are other like this one) which recover all text filed if something goes wrong.
I think that GS could return the text field when this error occurs, so the user can copy/paste the text and don't lose is work.
Have a good day!
__
Contact me if you need a french translation file for your plugin.
Posts: 538
Threads: 12
Joined: May 2013
(2016-02-23, 18:38:27)Charpy1 Wrote: I think that GS could return the text field when this error occurs, so the user can copy/paste the text and don't lose is work.
Why don't you use the standard toolbar buttons of your browser then click Back? - and see what happened
Posts: 6,266
Threads: 181
Joined: Sep 2011
This happens when your nonce timesput to prevent old pages from being replayed or sent later. So maybe the page expired. This should not normally happen unless the page was open for hours, or something changed whoch could indicate a problem. Let us know if if happens repeatedly. You can also disable this in gsconfig
Posts: 120
Threads: 22
Joined: Dec 2015
2016-02-24, 01:57:14
(This post was last modified: 2016-02-24, 01:59:21 by jwzumwalt.)
(2016-02-23, 18:38:27)Charpy Wrote: CSRF detected!
I also have this happen once or twice in a 6-10hr period of intensely editing my GS site.
Here is what is happening:
"CSRF is an attack that tricks the victim into submitting a malicious request. Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user's Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated."
1) At the very least, the browser has made a mistake or corrupted the request being sent to the server and the server thinks your browser has been hijacked. This might happen with something as simple as a corrupt CRC checksum error.
2) At the worst, you have a rogue program that is adding material to what your browser is sending from your computer, or outside your computer a sniffer program has edited packets of information you have sent.
If this is an actual malicious attack, this type of attack can only send information, it has no way of receiving information - - so what it will do is send a link to be clicked on or something like that (This is what the server thinks is happening so it refuses the page you just sent).
Workaround
My experience has been, if this error occurs you will loose all of your edited material. So, if I have done extensive editing, I first copy the whole page to the clip board by doing this: I switch to [source] view, do a ctrl-a (select all), then ctrl-c (copy-all) then hit the send/update button. If the error occurs, hit the back button, goto [source] view and press ctrl-a (select all), ctrl-v (insert) and hit the send/update again.
Thanks,
jwzumwalt
(\__/)
(='.'=)
(")_(")
Posts: 538
Threads: 12
Joined: May 2013
2016-02-24, 02:12:59
(This post was last modified: 2016-02-24, 02:30:09 by Bigin.)
(2016-02-24, 01:57:14)jwzumwalt Wrote: Workaround
My experience has been, if this error occurs you will loose all of your edited material. So, if I have done extensive editing, I first copy the whole page to the clip board by doing this: I switch to [source] view, do a ctrl-a (select all), then ctrl-c (copy-all) then hit the send/update button. If the error occurs, hit the back button, goto [source] view and press ctrl-a (select all), ctrl-v (insert) and hit the send/update again.
All this is not really necessary, your browser caches all field values automatically, that is why I have written about „Back“ button
Posts: 120
Threads: 22
Joined: Dec 2015
2016-02-24, 03:06:28
(This post was last modified: 2016-02-24, 03:07:25 by jwzumwalt.)
(2016-02-24, 02:12:59)Bigin Wrote: All this is not really necessary, your browser caches all field values automatically, that is why I have written about „Back“ button
I do not know what happens with your system, but on mine, "back" does not return to the "edited" page. It reverts to the "old" unedited page. So, the above process is necessary.
Thanks,
jwzumwalt
(\__/)
(='.'=)
(")_(")
Posts: 6,266
Threads: 181
Joined: Sep 2011
Most of that is wrong, this is GSs csrf detection, it has nothing to do with an actual csrf or server or browser interception.
It simply means that the nonce we sent on the page has expired or no longer matches the one we generate, a nonce is not really a nonce in GS since we use stateless sessions, but is calculated based on some predictable stuff. ( a nonce is a use once token, to prevent action replays or hijacks, ours is not really a nonce but a nonce good for 1-2 hours )
$hash=sha1($action.$file.$uid.$USR.$SALT.$time);
If your http user agent changes during it breaks, if your php_self is calculated wrong it breaks, if it expires 1-2 hours, it breaks.
I have an issue to deal with this in a somewhat better manner to at least not lose data.
https://github.com/GetSimpleCMS/GetSimpl...ssues/1014
and there are also some fixes in 3.4 such as settable timeouts etc.
Browsers are good at preserving textareas, but ckeditor and other js stuff is sometimes lost
It might be easier to just turn this off if you encounter it or are rapidly developing or are local and do not care, or have enhanced ip restrictions in apache for example.
in gsconfig.php
# Turn off CSRF protection. Uncomment this if you keep receiving the error message "CSRF error detected..."
#define('GSNOCSRF', TRUE);
Posts: 120
Threads: 22
Joined: Dec 2015
2016-02-24, 04:02:48
(This post was last modified: 2016-02-24, 04:15:35 by jwzumwalt.)
(2016-02-24, 03:15:32)shawn_a Wrote: Most of that is wrong, this is GSs csrf detection, it has nothing to do with an actual csrf or server or browser interception.
It simply means that the nonce we sent on the page has expired or no longer matches the one we generate, a nonce is not really a nonce in GS since we use stateless sessions, but is calculated based on some predictable stuff. ( a nonce is a use once token, to prevent action replays or hijacks, ours is not really a nonce but a nonce good for 1-2 hours )
... Thank you for the additional information.
However, it has happened to me following a recent edit so at least it does not appear to always be a timout... I do on occasion have lengthy editing sessions where I am researching material, so those occasions may be a timeout. I am going to disable it for a while and see what happens. If something is being injected, it should be immediately recognizable. (I might add, GS is the only program that has ever given me this error.)
It appears there is a bug but given the stellar performance and stability of GS I don't care - I am very happy with it.
Thanks,
jwzumwalt
(\__/)
(='.'=)
(")_(")
Posts: 48
Threads: 3
Joined: Feb 2016
Thanks all for these precisions, specially shawn_a !
Bigin, I know very well about the browser cache for the text fields. It works all the time.. exept when your really need it to work
That's why I recommand "Lazarus" or "Text Area Cache", which are good plugin who do a very good job as textarea content saver. There may be other plugins like this, but I know only these two. I recommand it to you, jwzumwalt, so you won't need to remember to copy your content anymore!
__
Contact me if you need a french translation file for your plugin.
Posts: 538
Threads: 12
Joined: May 2013
I'm not sure all browser behaves the same way, but it doesn't matter, wether a CKEditor or textarea, when I click the back Button (Sometimes multiple clicks are necessary) it will reload page from browser cache. That is browser's default behavior, is to naturally cache pages. But when you want to be sure to explicitly grab sites from cache -which is natural when someone is filling out a form- for instance you could try to forcing pragma-cache in header as follows:
Code: header("Content-Type: text/html; charset: UTF-8");
header("Cache-Control: max-age=400, public, s-maxage=400“);
header("Pragma: ");
header('Expires: ' . gmdate('D, d M Y H:i:s', time() + 400) . ' GMT');
There a link for more info: http://www.sitepoint.com/caching-php-performance/
Posts: 6,266
Threads: 181
Joined: Sep 2011
Posts: 120
Threads: 22
Joined: Dec 2015
(2016-02-24, 07:19:22)Bigin Wrote: Code: header("Content-Type: text/html; charset: UTF-8");
header("Cache-Control: max-age=400, public, s-maxage=400“);
header("Pragma: ");
header('Expires: ' . gmdate('D, d M Y H:i:s', time() + 400) . ' GMT'
So where should this code be added?
Thanks,
jwzumwalt
(\__/)
(='.'=)
(")_(")
Posts: 538
Threads: 12
Joined: May 2013
Ohh sorry, I forgot to mention that, this can and should only be done by core developer and the code is for information purposes only. I have just replied to shawn_a comment above.
Posts: 6,266
Threads: 181
Joined: Sep 2011
Word of advice never allow caching on edit pages, you will wind up editing old versions of a page and lose stuff.
Posts: 120
Threads: 22
Joined: Dec 2015
(2016-02-24, 03:15:32)shawn_a Wrote: ...
in gsconfig.php
# Turn off CSRF protection. Uncomment this if you keep receiving the error message "CSRF error detected..."
#define('GSNOCSRF', TRUE);
I have tried this for about a month now, and all my problems went away - no more lost pages
Thanks,
jwzumwalt
(\__/)
(='.'=)
(")_(")
|