Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial access to web-page leads to 403 #140

Open
zanzara opened this issue Dec 3, 2020 · 4 comments
Open

Initial access to web-page leads to 403 #140

zanzara opened this issue Dec 3, 2020 · 4 comments

Comments

@zanzara
Copy link

zanzara commented Dec 3, 2020

I don't if it is a bug in my client code or this behaviour is by design.

When I call my page in a "fresh" browser (all browser data and cache cleared before), I get on my first XHR (POST)
this msg of hell: "OWASP CSRF PROTECTOR VALIDATION FAILURE"
which leads to a 403 in the end.

The next XHR's then work I can observe that CSRF_TOKEN Cookie is set.

The strange thing is, that even for that , I had to change this lines in "csrfprotector.php":
(moving self::authorizePost(); to the bottom)

           // Authorise the incoming request
            //self::authorizePost();

            // Initialize output buffering handler
            if (!defined('__TESTING_CSRFP__')) {
                ob_start('csrfProtector::ob_handler');
            }

            if (!isset($_COOKIE[self::$config['CSRFP_TOKEN']])
                || !isset($_SESSION[self::$config['CSRFP_TOKEN']])
                || !is_array($_SESSION[self::$config['CSRFP_TOKEN']])
                || !in_array($_COOKIE[self::$config['CSRFP_TOKEN']],
                $_SESSION[self::$config['CSRFP_TOKEN']])) {
                    self::refreshToken();
            }
            self::authorizePost();

I using the V.1.0.0. but in the end, V1.0.2 it's the same.
I really don't know where my problem is.
Sorry, if might be wrong here.
@knopkem
Copy link

knopkem commented Dec 8, 2020

I suspect that the issue comes from a race condition between your XHR request (on page load?) and the csrf library trying to initialize. One quick way to find this out is to delay your POST request (using a timer of 1s to be sure).
Guess it's similar to #113

@zanzara
Copy link
Author

zanzara commented Dec 8, 2020

Thanks for your reply.
But i don't understand quite your delay proposal.
I load the page until it gets to login. Then the very first XHR is a POST when user submits login data with OK-Button
Where should be exactly the delay? After self:authorizePost() ?

Sry, if i didn't understood you well here.

@knopkem
Copy link

knopkem commented Dec 8, 2020

In this case, my assumption was wrong. I thought you would auto trigger a XHR post request when the DOM was loaded (which then might create an issue with csrf). But in your case you have the issue even when manually triggering the first POST via the login form (which is correct workflow wise). So no delay will help here, sorry. The issue is not related and must be something else.

@geemytrimz
Copy link

I suspect that the issue comes from a race condition between your XHR request (on page load?) and the csrf library trying to initialize. One quick way to find this out is to delay your POST request (using a timer of 1s to be sure).
Guess it's similar to #113

please how to do that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@knopkem @zanzara @geemytrimz