Tuesday, April 22, 2014

Re: BUg in 2.5 ? database session blows up csrf checks (Cakephp 2.5.0-RC1 )

Thanks Mark

What debug data should i supply to confirm above issue?




On Tuesday, 22 April 2014 03:35:51 UTC+1, mark_story wrote:
I just checked locally on a new copy of CakePHP 2.5.0, and wasn't able to reproduce the issue.

I used a baked MVC, SecurityComponent and set 'defaults' => 'database' in core.php for the session setup.

-Mark

On Friday, 18 April 2014 18:09:23 UTC-4, Mandar P wrote:
Any one have any idea how to fix this issue ?

Thanks,
Mandar



On Thursday, 17 April 2014 15:27:26 UTC+1, Mandar P wrote:
Hi,

Im using 2.5 to build simple crud application with csrf enabled.

When using php based sessions everything works fine but changing it to database sessions csrf black-hole occurs on edit form submission. Please note that add form works absolutely fine irrespective of php/db based session.

Looking at request and session data i found that SecurityComponent::_validateCsrf() method fails as data passed in $controller->request->data('_Token.key') is not found in data read from $this->Session->read('_Token')

I think  :

1> either session is not being updated correctly with token key value when form is created

or

2> request data is tampered before it reaches security component

I suspect problem is no.1 as forms work correctly when php based sessions are used.

Im also using debugkit and passwordHasher => Blowfish in app controller

Any one have any ideas?

Thanks,
Mandar

--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP

---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.

No comments: