Login/Register
Symfony2: Invalid CSRF token while remember me authentication
Asked Answered
phpsymfonysessionfosuserbundlecsrf-protection
D

1

8

I have application written in Symfony 2.8.11 and FosUserBundle 2.0.0-beta1. User can connect to the site via VPN or basic auth. Mostly they use Internet Explorer 11 on Windows 7. Some of them are experiencing a Invalid CSRF token issue in random form inside site. The problem is that users can't submit form, even after refresh the page a few times.

I suspect that the problem is caused by the continuous refreshing of the session, from logs:

{
    "created":1483610056, 
    "lastUsed":1483610056
} ["csrf","session_times"] []

Further, I suspect that it is caused by authentication by remember me token (every issue has been authenticated by that token):

[2017-01-05 10:54:16] security.DEBUG: Remember-me cookie detected. [] []
[2017-01-05 10:54:16] security.INFO: Remember-me cookie accepted. [] []
[2017-01-05 10:54:16] security.DEBUG: Populated the token storage with a remember-me token. [] []

My security config:

...
main:
    pattern: ^/
    form_login:
        provider: fos_userbundle
        csrf_token_generator: security.csrf.token_manager
        # if you are using Symfony < 2.8, use the following config instead:
        # csrf_provider: form.csrf_provider
    logout:       true
    anonymous:    true
    remember_me:
        name: "%session_cookie_remember_name%"
        domain: "%session_cookie_domain%"
        key:      "%secret%"
        lifetime: 604800
        path:     /
    switch_user: true
...

Is it possible that the session restarts every time page is load and remember me authenticate it? Is it bug or correct behavior? How can I get rid of the csrf invalid token issue?

Full logs from one page request when the issue arrived:

[2017-01-05 10:54:16] request.INFO: Matched route "fos_user_profile_show". 
{
    "route_parameters":{
    "_controller":"AppBundle\\Controller\\ProfileController::showAction",
    "lang":"pl",
    "_route":"fos_user_profile_show"
    },
    "request_uri":"..."
} []
[2017-01-05 10:54:16] security.DEBUG: Remember-me cookie detected. [] []
[2017-01-05 10:54:16] security.INFO: Remember-me cookie accepted. [] []
[2017-01-05 10:54:16] security.DEBUG: Populated the token storage with a remember-me token. [] []
[2017-01-05 10:54:16] app.DEBUG: 
{
    "USER":"www-data",
    "HOME":"\/var\/www",
    "HTTP_COOKIE":"safeId=51081905; nlPopup=shown; cookieInfo=1; __cfduid=d7b03b629331902c712642a374b52b3711476715148; auth=1a2dd1f7a8b16bf7d31988bf968748b5; VMREMEMBERME=QXBwQnVuZGxlXEVudGl0eVxVc2VyOmMydHNaWEF6TkRKQVluSmhibVJpY1M1d2JBPT06MTQ4NDA1MjAxNzoyODM1NWViMThkN2EwMDQ2MGUzNzVmNzg4ZGYwYWE2NzliNTcwOGJiY2E4ZDk0ZGE4YzJhZTFmZTRlMThlMjhh; VMSESSID=4oupq2fgt72vc8lnqff0g9op44",
    "HTTP_CONNECTION":"Keep-Alive",
    "HTTP_DNT":"1",
    "HTTP_HOST":"sub.domain.com",
    "HTTP_ACCEPT_ENCODING":"gzip, deflate",
    "HTTP_USER_AGENT":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko",
    "HTTP_ACCEPT_LANGUAGE":"pl-PL",
    "HTTP_ACCEPT":"text\/html, application\/xhtml+xml, *\/*",
    "SCRIPT_FILENAME":"\/data\/www\/project\/web\/app.php",
    "REDIRECT_STATUS":"200",
    "SERVER_NAME":"sub.domain.com",
    "SERVER_PORT":"80",
    "SERVER_ADDR":"x.x.x.x",
    "REMOTE_PORT":"x",
    "REMOTE_ADDR":"x.x.x.x",
    "SERVER_SOFTWARE":"nginx\/1.10.0",
    "GATEWAY_INTERFACE":"CGI\/1.1",
    "REQUEST_SCHEME":"http",
    "SERVER_PROTOCOL":"HTTP\/1.1",
    "DOCUMENT_ROOT":"\/data\/www\/project\/web",
    "DOCUMENT_URI":"\/app.php",
    "REQUEST_URI":"...",
    "SCRIPT_NAME":"\/app.php",
    "CONTENT_LENGTH":"",
    "CONTENT_TYPE":"",
    "REQUEST_METHOD":"GET",
    "QUERY_STRING":"...",
    "FCGI_ROLE":"RESPONDER",
    "PHP_SELF":"\/app.php",
    "REQUEST_TIME_FLOAT":1483610056.9177,
    "REQUEST_TIME":1483610056
} ["csrf","server"] []
[2017-01-05 10:54:16] app.DEBUG: 
{
    "safeId":"51081905",
    "nlPopup":"shown",
    "cookieInfo":"1",
    "__cfduid":"d7b03b629331902c712642a374b52b3711476715148",
    "auth":"1a2dd1f7a8b16bf7d31988bf968748b5",
    "VMREMEMBERME":"QXBwQnVuZGxlXEVudGl0eVxVc2VyOmMydHNaWEF6TkRKQVluSmhibVJpY1M1d2JBPT06MTQ4NDA1MjAxNzoyODM1NWViMThkN2EwMDQ2MGUzNzVmNzg4ZGYwYWE2NzliNTcwOGJiY2E4ZDk0ZGE4YzJhZTFmZTRlMThlMjhh",
    "VMSESSID":"4oupq2fgt72vc8lnqff0g9op44"
} ["csrf","cookies"] []
[2017-01-05 10:54:16] app.DEBUG: 
{
    "cookie":[
        "safeId=51081905; nlPopup=shown; cookieInfo=1; __cfduid=d7b03b629331902c712642a374b52b3711476715148; auth=1a2dd1f7a8b16bf7d31988bf968748b5; VMREMEMBERME=QXBwQnVuZGxlXEVudGl0eVxVc2VyOmMydHNaWEF6TkRKQVluSmhibVJpY1M1d2JBPT06MTQ4NDA1MjAxNzoyODM1NWViMThkN2EwMDQ2MGUzNzVmNzg4ZGYwYWE2NzliNTcwOGJiY2E4ZDk0ZGE4YzJhZTFmZTRlMThlMjhh; VMSESSID=4oupq2fgt72vc8lnqff0g9op44"
    ],
    "connection":[
        "Keep-Alive"
    ],
    "dnt":[
        "1"
    ],
    "host":[
        "sub.domain.com"
    ],
    "accept-encoding":[
        "gzip, deflate"
    ],
    "user-agent":[
        "Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko"
    ],
    "accept-language":[
        "pl-PL"
    ],
    "accept":[
        "text\/html, application\/xhtml+xml, *\/*"
    ],
    "content-length":[
        ""
    ],
    "content-type":[
        ""
    ],
    "x-php-ob-level":[
        1
    ]
} ["csrf","headers"] []
[2017-01-05 10:54:16] app.DEBUG: [] ["csrf","session"] []
[2017-01-05 10:54:16] app.DEBUG: 
{
    "created":1483610056,
    "lastUsed":1483610056
} ["csrf","session_times"] []
[2017-01-05 10:54:16] app.DEBUG: 
{
    "name":"xxx",
    "address":"xxx",
    "city":"xxx",
    "phoneNumber":"xxx",
    "lang":"xx",
    "save":"",
    "_token":"ms-TX5_Du6lh3BqV2RB2CvQaEJ8WzuPBCeduAJox3ik"
} ["csrf","data"] []
[2017-01-05 10:54:16] security.DEBUG: Stored the security token in the session. {"key":"_security_main"} []
Disciple answered 5/1, 2017 at 10:44 Comment(7)
Maybe it has something to do with the browser cache for the page of the form?Sells
But why session is always 'fresh' (last used time = created time)?Disciple
I get the feeling that the session with the token is created multiple times, and that the session is overwritten? Does this problem only happen when someone authenticates via remember-me?Sells
Yes, it seems that this happens only when authentication was done by rememeber-me. I have similar suspicions about the override of session. Question is why application is behaving this way? I think this can't be normal behavior (user receive invalid token error even after refresh the page a few times).Disciple
Well, it's almost sure there's a conflict between sessions. Also this is a big disadvantage of using a huge framework, and not knowing what exactly plays under the hood. Unless you are not using the framework/components/plugins correctly, it can be a conflict caused by the different vendor software. Without real understanding of the code (probably a lot of code), and the correct usage and configuration of that all, it's not easy to solve your problem. Does FOS UserBundle perhaps have a seperate csrf protection than Symfony form?Sells
Do you have more user providers? If so, maybe it will help to specify the user provider for remember me part. Just guessing.Unburden
do users get 400 error? Can you post logs?Krilov
S
2

I got Your point, sometime this happen due to csrf generator. You have to change your config.yml file and comment the csrf generator line e.g.

...
main:
    pattern: ^/
    form_login:
        provider: fos_userbundle
        #csrf_token_generator: security.csrf.token_manager
        # if you are using Symfony < 2.8, use the following config instead:
        # csrf_provider: form.csrf_provider
    logout:       true
    anonymous:    true
    remember_me:
        name: "%session_cookie_remember_name%"
        domain: "%session_cookie_domain%"
        key:      "%secret%"
        lifetime: 604800
        path:     /
    switch_user: true
...

Now their is no condition for csrf token.

Stuart answered 13/1, 2017 at 6:54 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.