question about session and csrf

[anibalardid]

Hi Omar, how are you ?
I'm trying your framework , I like it very much.
But I have problems with csrf ... at beggining it works, but after some minutes it doesnt work anymore.
When I create post it said error 400 and in logs appear "invalid CSRF token", I added Session::getCsrfToken() to the same debug line, and it appears empty.

What could be happening ?

Best regards !

[ghost]

What are the values of your config/config.php about expire the cookie and session? Did you change the crsf_token_time to something else?

[anibalardid]

Hi ! Thanks for your reply.
I didn't change these values.
These are as default in the code

[anibalardid]

I debug the code, adding new logger in the same method that check csrf, I add debug_backtrace() to see where are passing the code ...
I don't see Session in this trace.
I think, maybe, the code sometimes doesn't initialize session ...

I attached it here:
https://pastebin.com/urEdxb6y

[Achterstraat]

Hi,

You can modify line 59 from core/Sessions.php from..

if(!self::validateIPAddress($ip) || !self::validateUserAgent($userAgent)) {

..to..

if(!self::validateIPAddress($ip)) {

..and test then again, if no invalid sessions your useragent returns unstable reliable results!

Or..

if(!self::validateIPAddress($ip) || !self::validateUserAgent($userAgent)) {

..to..

if(!self::validateUserAgent($userAgent)) {

..and test then again, if no invalid sessions your IPv4/IPv6 are switching random!

[anibalardid]

when I only let validateipaddress:

05/01/2019 9:51:59 | /shared/httpd/lightframeworks/htdocs/miniPHP/app/core/components/SecurityComponent.php | 238 | CSRF Attack
User: 1 provided invalid CSRF Token 35722d62fcb28368ffe2571677f84f18

---

05/01/2019 9:51:59 | /shared/httpd/lightframeworks/htdocs/miniPHP/app/core/components/SecurityComponent.php | 136 | Exception
The request has been deined

---

If I let validateuseragent...
same error (400)

05/01/2019 9:53:04 | /shared/httpd/lightframeworks/htdocs/miniPHP/app/core/components/SecurityComponent.php | 238 | CSRF Attack
User: 1 provided invalid CSRF Token d12d121d050f01a0949e428884027eae

---

05/01/2019 9:53:04 | /shared/httpd/lightframeworks/htdocs/miniPHP/app/core/components/SecurityComponent.php | 136 | Exception
The request has been deined

---

[goldwizard13]

when I only let validateipaddress:

05/01/2019 9:51:59 | /shared/httpd/lightframeworks/htdocs/miniPHP/app/core/components/SecurityComponent.php | 238 | CSRF Attack
User: 1 provided invalid CSRF Token 35722d62fcb28368ffe2571677f84f18

05/01/2019 9:51:59 | /shared/httpd/lightframeworks/htdocs/miniPHP/app/core/components/SecurityComponent.php | 136 | Exception
The request has been deined

If I let validateuseragent... same error (400)

05/01/2019 9:53:04 | /shared/httpd/lightframeworks/htdocs/miniPHP/app/core/components/SecurityComponent.php | 238 | CSRF Attack
User: 1 provided invalid CSRF Token d12d121d050f01a0949e428884027eae

05/01/2019 9:53:04 | /shared/httpd/lightframeworks/htdocs/miniPHP/app/core/components/SecurityComponent.php | 136 | Exception
The request has been deined

hi i have the same problem, how did you solve it?

[anibalardid]

hi i have the same problem, how did you solve it?

I finally removed it, and I created some other checks created by my own.

I modified a lot this framework to do what i need to do :)