"csrf error in login"

(15 posts) (2 voices)


No tags yet.

  1. apao, Member

    I updated myDBR yesterday to the latest version. Today, when any user tries to login, the following message is displayed:

    csrf error in login

    Could you please tell me how to fix this?
    Thanks in advance.

    EDIT : as a temporary workaround, I see it works on Firefox but we need it to work on Chrome as well

  2. myDBR Team, Key Master

    Delete the myDBR cookie in Chrome (mydbr-id-us or mydbr-id) and you should be able to login.

    myDBR Team

  3. apao, Member

    I deleted all cookies (via the Ctrl+Shift+Del shortcut of Chrome) and it doesn't work.

    EDIT: Private navigation doesn't work either

  4. myDBR Team, Key Master

    is your server online (open to web?) so we could try it?

    Makse sure all myDBR related cookies are removed. See https://developer.chrome.com/docs/devtools/application/cookies/

    To rule out the Chrome itself, try logging into myDBR Demo at https://mydbr.com/demo

    myDBR Team

  5. apao, Member

    No, our myDBR server is offline.

    I followed the procedure mentioned, there's no cookies for our myDBR server.

    I can login to the myDBR demo.

    EDIT: ok, that's odd: If I try to connect to "our" myDBR, get the error message and then try to login to myDBR Demo just after, I sometimes get the error message on myDBR demo. But when that happens, I just have to try once more and then I login successfully to myDBR demo. Maybe a cache issue. But that doesn't fix my login problem to "our" myDBR.

  6. myDBR Team, Key Master

    Are you using HTTPS on your server?

    Run the updater again in Firefox and add following line to user/defaults.php:

    $mydbr_defaults['debug_cookie'] = true;

    The login screen should now show you the session ID and CSRF token copy those. When you log in using Chrome, compare the same values from the error message.

    myDBR Team

  7. apao, Member

    No, we don't use HTTPS.

    I added the line and I ran the updater using Firefox. Now, when I try to login using Chrome, the session ID on the login page and on the "csrf error in login" page are different. The CSRF are equal.

  8. myDBR Team, Key Master

    So for some reason, Chrome is losing the session in your setup.

    Next step would be to see the Chrome developer tools for network activity to see of there are server redirects that would cause the session to be lost.

    You can also try setting:

    $mydbr_defaults['cookie']['samesite_on_http'] = 'None';

    in user/defaults.php.

    myDBR Team

  9. apao, Member

    I tried the setting, it doesn't fix the issue.
    Is there any new functionality/setting between 6.5.1 (that was our latest update before yesterday's update) and 6.7.0 that could cause the issue?
    If we don't find it, is there any way to rollback to 6.5.1?

  10. myDBR Team, Key Master

    Couple of questions that could help us to replicate this.

    - What is the PHP version you are using?
    - What is the web server you are using?
    - Any custom configurations on server (any redirects?)

    myDBR Team

  11. apao, Member

    - PHP version: 7.3.14
    - Windows Server 2016 Datacenter
    - I can't be 100% sure but I don't think so. We use an alias for the machine instead of the machine name so I've just tried to login using the machine name and I have the same problem (+ a license issue because our myDBR license is linked to the alias of the server but that's not the problem here)

  12. myDBR Team, Key Master

    could you try with following setting in user/defaults.php:

    $mydbr_defaults['cookie']['samesite'] = 'Lax';

    It may take two login attempts to see if this works for you.
    myDBR Team

  13. apao, Member

    Ok, this works, thanks.
    So, was this some kind of anti-CSRF-attack system you added in the latest versions and if so, can we still consider the application as safe with this setting?

  14. myDBR Team, Key Master

    the samesite Lax limits where cookies are sent. Only to origin site, not on cross-site requests.

    Chrome handles the samesite bit differently, hence the problem.
    myDBR Team

  15. apao, Member

    Ok. Thanks for your responsiveness... as usual!


You must log in to post.