Cross Site Request Forgery (XSRF) aimed at you?

[quince]

I'm getting this error:

Your browser did not sent a valid HTTP-Referrer string. This may have either been caused by a misconfigured browser/proxy or by a Cross Site Request Forgery (XSRF) aimed at you. The action you requested could not be completed.

It occurs when I try to create anything in my admin area. Except when I add entries which it allows.

Does any one have a fix for this issue?

Thanks for the help!
Quince

[garvinhicking]

Hi!

This XSRF protection can cause problems if your Browser does not submit a HTTP Referer string, or you are using a proxy that is filtering this one. Or your PHP sessions are not properly installed.

Can you check that?

Regards,
Garvin

[quince]

The sessions on the server are working fine. I used them for a custom flash login last month.

How would I check for the proxy, http reffer info?

I have tried this in both IE and Firefox.

Is there a way to turn off the XSRF check?

Thanks!
Quince

[garvinhicking]

Please check what you PHP session settings are in an output of a <?php phpinfo(); ?> script. It might be that your session.domain setting is set to a different domain that your blog is running on?

You can check if the PHP sessions are working if you login to the backend WITHOUT checking the "remember me" button?

About the proxy: You should know if you need to connect to the internet by using a HTTP proxy? Did you set that up in your browser?

If it fails in both IE AND Firefox, the HTTP referrer issue is out of question and it should be related to Proxy or Session issues.

It could also be some aggressive Internet-Antivirus software that transforms HTTP calls; are you using any extra software on your system?

About disabling the XSRF detection: There is no option for that, but you could edit your include/functions_config.inc.php file and search for the serendipity_checkXSRF() function. After

Code: Select all

global $serendipity;

you could just insert

Code: Select all

return false;

to bypass all checks.

Regards,
Garvin

[irfan12jan]

Hi, i have exact same issue, i updated the code as described above but i still get the error. Can you please help.

thanks.

I am using IIS 6 with PHP 4.4.1

here is my session Info

Session Support enabled
Registered save handlers files user

Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path C:\PHP\cookiedata C:\PHP\cookiedata
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path C:\PHP\sessiondata C:\PHP\sessiondata
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid Off Off

[garvinhicking]

Hi!

session.cookie_path is bad, it needsto point to a HTTP directory, not a filesystem.

Also, does your session.save_path directory exist?

Other than that you might want to visit a PHP/IIS specific forum for general PHP installation questions.

Regards,
Garvin

[irfan12jan]

thanks for the quick reply gravin, I really appreciate it. The session_path does exist and PHP is writing files to that directory fine. i have multiple sites on server so not sure what should be cookie_path should be.

Per your instructions above i did remove the XSFR check and that function only have return false how come that is not working is there any place else where there is a check?

Thanks for your responses and help.

Regards,

[garvinhicking]

Hi!

No, that is the only place. How exactly does your checkXSRF function now look like?

Regards,
Garvin

[irfan12jan]

the function looks like

Code: Select all

function serendipity_checkXSRF() {
    global $serendipity;

    
    return false;
}

[irfan12jan]

i really liked the software but can't get it working. I just reinstalled the 1.3 and installation said every thing is fine

In IE it stays loged in Admin panel but get XSFR error and in firefox after login when you click on any funcion it takes you back to login screen. I am using IE7.

Will really appreciate any help.

thanks,

[garvinhicking]

Hi!

This definitely sounds like a bad PHP session server setup. Were you the one using IIS? Your server must properly emit and write PHP sessions and make use of cookies so that s9y can work...

Regards,
Garvin

[irfan12jan]

Yes i am using IIS 6.0 (Windows 2003), Yes you are right it seems like the problem with PHP Session but i can't find any documentation or instructions which tells me how to set it correctly. If you have any other references on setting it up i will really appreciate.

thanks,

[garvinhicking]

Hi!

Sadly because IIS is not free I cannot really test it here, maybe you can ask the PHP forums or Microsoft support on this.

You could install XAMPP, it is known to work fine with PHP sessions?

Regards,
Garvin

[mehraan]

Hi!

session.cookie_path is bad, it needsto point to a HTTP directory, not a filesystem.

Also, does your session.save_path directory exist?

Other than that you might want to visit a PHP/IIS specific forum for general PHP installation questions.

Regards,
Garvin

I have exactly the same problem. Besides login doesn't work without "remember me"; new entries don't save, and preview shows the administration panel. These all indicate problems with sessions.

The session.save_path is set to "c:\winnt\temp\php4" and the path DOES exist.

Can it be because of the backslashes in the save_path?

[garvinhicking]

Hi!

Set your session.save_path to "c:/blabla" with forward instead backward slashes, yes - this can be a problem.

Also remember restarting your apache after you changed the php.ini

Regards,
Garvin