Jump to content

[RESOLVED] Making me CRAZY


njohn

Recommended Posts

I am getting THAT CSRF thingee after 2 or 3 saves, additions, etc. I can only get out of it if I signout, close the browser, open a new browser, and sign in. Then after a save(etc) or 2 it happens again.

  I found a post that said to update to newest ver if not already there. I did so and NO help.

Please help me.

Screenshot.jpg

Edited by njohn
Link to comment
Share on other sites

We would have to look at what the browser is posting, what PHP is receiving, and what CubeCart is expecting.

We would also have to examine and eliminate any server-based caching.

To start, use your browser's diagnostics to view the traffic waterfall. On the POST event, you should be able to examine all the data being POSTed. Make sure there is a security token in the POST.

At a later time, we can have PHP save some data to a file that will let us compare what CubeCart is expecting vs what was POSTed.

Link to comment
Share on other sites

Most browsers have a diagnostic mode. Firefox has "Developer Tools" (used to be Firebug). IE has something called "F12". I'm sure Chrome has something, but I don't use Chrome. I have no idea about Opera.

In Firefox, click on the Menu icon (upper-right, three horizontal bars), click Developer, click Network. A panel will open (probably) to the side of the web page.

Something similar is available in the other browsers. What browser are you using?

Make a page request to the Store Settings page in the admin of your store.

Watch the 'waterfall'.

Link to comment
Share on other sites

Good. This is the waterfall. The bars on the right show what was asked and wen, when it started arriving, and how long it took.

In the second row at the top of the window, find the trash can. Click this to clear the list. For what we need to find, we do not need to see the GET rows.

Make a request for the Store Settings page. Note the waterfall is all GET rows. Clear the list.

On the Store Settings page, click the Save button. Even though nothing actually changed, all the filled in form fields will get POSTed.

On the waterfall, the first row should be a POST. Highlight this row. There will be a panel that slides out from the right.

On this panel, click the Params tab. Here, you find what was POSted. At the bottom of the list, you will find the security token. It will (should) change after each time you click the Save button and get a new form. If you go straight to a new admin page, not first having clicked Save, then the security token has not changed. Only if you click Save, then CubeCart makes a new security token.

Do this a few times on different admin pages. Become familiar with finding the security token value in POST.

 

Link to comment
Share on other sites

Will do - BUT

Just as an aside, I'm now on windows 10 (which I NEVER use) and using Internet Explorer which I thought I hated, but I CAN'T get it to give me the CSRF warning no matter that I have made 8 or 10 changes and saved. HMMMM????

I use Linux mint 17.3 and chromium and that's where I have had the problems

Edited by njohn
Link to comment
Share on other sites

I have had some weird things happen when Firefox is wanting to use its internal cache. Some pages that should have changed, but didn't, until I forbade Firefox from using its cache.

So, now that you know where to look for the security token in POST, you can verify if the token actually changes from POST to POST.

Link to comment
Share on other sites

I have printed out your (detailed) instructions above and am (slowly) plowing through them. I'll report when (if) I complete your instructions.

I did the 1st run at showing the waterfall in firefox cause I could follow your earlier instructions. I'll continue with ff and if we achieve success I'll use ff in future cubecart admin functions. 

Link to comment
Share on other sites

OK done on several pages and last entry in params changes on all pages I tried.

But CSRF occurring is confusing the issue

BTW the windows ie solution has failed and csrf is BACK there with a vengence 

Link to comment
Share on other sites

Ok, you have clicked Save on numerous pages (even the same one), and the security token was different in the POST for each click on the Save button.

We now need to look at what PHP is giving to CubeCart. In a PM, I will give you a link to a file to download. It will log what CubeCart was given in POST. Using this log, we can compare what the browser POSTed vs what CubeCart received.

 

Link to comment
Share on other sites

The waterfall should still show a POST entry. That's all we need.

It is because CubeCart thinks the security token is wrong (or missing) that the CSRF warning is being delivered. This is after the POST is received by CubeCart.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...