njohn Posted March 8, 2017 Share Posted March 8, 2017 (edited) I am getting THAT CSRF thingee after 2 or 3 saves, additions, etc. I can only get out of it if I signout, close the browser, open a new browser, and sign in. Then after a save(etc) or 2 it happens again. I found a post that said to update to newest ver if not already there. I did so and NO help. Please help me. Edited March 10, 2017 by njohn Quote Link to comment Share on other sites More sharing options...
bsmither Posted March 8, 2017 Share Posted March 8, 2017 We would have to look at what the browser is posting, what PHP is receiving, and what CubeCart is expecting. We would also have to examine and eliminate any server-based caching. To start, use your browser's diagnostics to view the traffic waterfall. On the POST event, you should be able to examine all the data being POSTed. Make sure there is a security token in the POST. At a later time, we can have PHP save some data to a file that will let us compare what CubeCart is expecting vs what was POSTed. Quote Link to comment Share on other sites More sharing options...
njohn Posted March 8, 2017 Author Share Posted March 8, 2017 Good to hear from you again. "To start, use your browser's diagnostics to view the traffic waterfall." How do I do this? Quote Link to comment Share on other sites More sharing options...
bsmither Posted March 8, 2017 Share Posted March 8, 2017 Most browsers have a diagnostic mode. Firefox has "Developer Tools" (used to be Firebug). IE has something called "F12". I'm sure Chrome has something, but I don't use Chrome. I have no idea about Opera. In Firefox, click on the Menu icon (upper-right, three horizontal bars), click Developer, click Network. A panel will open (probably) to the side of the web page. Something similar is available in the other browsers. What browser are you using? Make a page request to the Store Settings page in the admin of your store. Watch the 'waterfall'. Quote Link to comment Share on other sites More sharing options...
njohn Posted March 8, 2017 Author Share Posted March 8, 2017 (edited) Got attached (at bottom of page) Using Firefox Leaving now. Back in a couple of hours. Edited March 8, 2017 by njohn Quote Link to comment Share on other sites More sharing options...
bsmither Posted March 8, 2017 Share Posted March 8, 2017 That looks like the result of a "Performance Analysis". There might be a "Back" link on the left (not shown in this screenshot). That will get you to see the waterfall. Quote Link to comment Share on other sites More sharing options...
njohn Posted March 8, 2017 Author Share Posted March 8, 2017 (edited) Got the waterfall - what to look at? attached Edited March 8, 2017 by njohn Quote Link to comment Share on other sites More sharing options...
bsmither Posted March 8, 2017 Share Posted March 8, 2017 Good. This is the waterfall. The bars on the right show what was asked and wen, when it started arriving, and how long it took. In the second row at the top of the window, find the trash can. Click this to clear the list. For what we need to find, we do not need to see the GET rows. Make a request for the Store Settings page. Note the waterfall is all GET rows. Clear the list. On the Store Settings page, click the Save button. Even though nothing actually changed, all the filled in form fields will get POSTed. On the waterfall, the first row should be a POST. Highlight this row. There will be a panel that slides out from the right. On this panel, click the Params tab. Here, you find what was POSted. At the bottom of the list, you will find the security token. It will (should) change after each time you click the Save button and get a new form. If you go straight to a new admin page, not first having clicked Save, then the security token has not changed. Only if you click Save, then CubeCart makes a new security token. Do this a few times on different admin pages. Become familiar with finding the security token value in POST. Quote Link to comment Share on other sites More sharing options...
njohn Posted March 8, 2017 Author Share Posted March 8, 2017 (edited) Will do - BUT Just as an aside, I'm now on windows 10 (which I NEVER use) and using Internet Explorer which I thought I hated, but I CAN'T get it to give me the CSRF warning no matter that I have made 8 or 10 changes and saved. HMMMM???? I use Linux mint 17.3 and chromium and that's where I have had the problems Edited March 8, 2017 by njohn Quote Link to comment Share on other sites More sharing options...
bsmither Posted March 9, 2017 Share Posted March 9, 2017 I have had some weird things happen when Firefox is wanting to use its internal cache. Some pages that should have changed, but didn't, until I forbade Firefox from using its cache. So, now that you know where to look for the security token in POST, you can verify if the token actually changes from POST to POST. Quote Link to comment Share on other sites More sharing options...
njohn Posted March 9, 2017 Author Share Posted March 9, 2017 I have printed out your (detailed) instructions above and am (slowly) plowing through them. I'll report when (if) I complete your instructions. I did the 1st run at showing the waterfall in firefox cause I could follow your earlier instructions. I'll continue with ff and if we achieve success I'll use ff in future cubecart admin functions. Quote Link to comment Share on other sites More sharing options...
njohn Posted March 9, 2017 Author Share Posted March 9, 2017 OK done on several pages and last entry in params changes on all pages I tried. But CSRF occurring is confusing the issue BTW the windows ie solution has failed and csrf is BACK there with a vengence Quote Link to comment Share on other sites More sharing options...
bsmither Posted March 9, 2017 Share Posted March 9, 2017 Ok, you have clicked Save on numerous pages (even the same one), and the security token was different in the POST for each click on the Save button. We now need to look at what PHP is giving to CubeCart. In a PM, I will give you a link to a file to download. It will log what CubeCart was given in POST. Using this log, we can compare what the browser POSTed vs what CubeCart received. Quote Link to comment Share on other sites More sharing options...
njohn Posted March 9, 2017 Author Share Posted March 9, 2017 Sheesh- I can't continue testing as the csrf occurs on the second save so I can't moniter a change Quote Link to comment Share on other sites More sharing options...
bsmither Posted March 9, 2017 Share Posted March 9, 2017 The waterfall should still show a POST entry. That's all we need. It is because CubeCart thinks the security token is wrong (or missing) that the CSRF warning is being delivered. This is after the POST is received by CubeCart. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.