Invalid CSRF token in nearly fresh installation

A place to report and discuss bugs - please mention CMSimple-version, server, platform and browser version
Post Reply
beate_r
Posts: 172
Joined: Thu May 22, 2008 11:44 pm
Location: Hessen / Germany

Invalid CSRF token in nearly fresh installation

Post by beate_r » Sat Dec 13, 2014 7:45 pm

After quite a while something form me:

today i tried a fresh installation of CMSimple_XH v. 1.6.4. I changed the default language in config.php to "de" and edited the content.htm to some simple plain html text - just a H1 and a P section.

Then i logged in and tried to reset the password. By saving i obtained an "Invalid CSRF token" error message.


During summer i reinstalled two sites after a server crash. One - www.marga-andres.de - is based on XH 1.6.2. During that install the above procedure worked just fine.

My current workaround was therefore to copy over the config.php of www.marga-andres.de to the new site. I could login and change the password to the one i wanted.
Why does this happen? Is there something wrong with 1.6.4?

cmb
Posts: 13274
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Invalid CSRF token in nearly fresh installation

Post by cmb » Sun Dec 14, 2014 12:35 pm

Since CMSimple_XH 1.6 there is a protection against CSRF attacks built in the core, and apparently the CSRF token could not be stored in the session. This can have several reasons, amongst them one of the included files containing a BOM, or otherwise outputting something (e.g. due to whitespace after the closing ?> at the end of the file).

If the error message occurs again, I suggest you have a look at the system check (Settings -> Info -> System Check); the last item reports if there is a BOM. Furthermore you should enable the debug mode (this might report "headers already sent" including the place where the output has been started).

To verify that everything is okay after applying your workaround, it's best to delete all cookies, and to try to save something in CMSimple_XH's back-end. If that works without the error message being shown, fine; otherwise you'll want to go through the procedure noted above.
Christoph M. Becker – Plugins for CMSimple_XH

Post Reply