apao, Member
Hi,
I updated myDBR yesterday to the latest version. Today, when any user tries to login, the following message is displayed:
csrf error in login
Could you please tell me how to fix this?
Thanks in advance.
EDIT : as a temporary workaround, I see it works on Firefox but we need it to work on Chrome as well
myDBR Team, Key Master
Delete the myDBR cookie in Chrome (mydbr-id-us or mydbr-id) and you should be able to login.
--
myDBR Team
apao, Member
I deleted all cookies (via the Ctrl+Shift+Del shortcut of Chrome) and it doesn't work.
EDIT: Private navigation doesn't work either
myDBR Team, Key Master
OK,
is your server online (open to web?) so we could try it?
Makse sure all myDBR related cookies are removed. See https://developer.chrome.com/docs/devtools/application/cookies/
To rule out the Chrome itself, try logging into myDBR Demo at https://mydbr.com/demo
--
myDBR Team
apao, Member
No, our myDBR server is offline.
I followed the procedure mentioned, there's no cookies for our myDBR server.
I can login to the myDBR demo.
EDIT: ok, that's odd: If I try to connect to "our" myDBR, get the error message and then try to login to myDBR Demo just after, I sometimes get the error message on myDBR demo. But when that happens, I just have to try once more and then I login successfully to myDBR demo. Maybe a cache issue. But that doesn't fix my login problem to "our" myDBR.
myDBR Team, Key Master
Are you using HTTPS on your server?
Run the updater again in Firefox and add following line to user/defaults.php:
$mydbr_defaults['debug_cookie'] = true;
The login screen should now show you the session ID and CSRF token copy those. When you log in using Chrome, compare the same values from the error message.
--
myDBR Team
apao, Member
No, we don't use HTTPS.
I added the line and I ran the updater using Firefox. Now, when I try to login using Chrome, the session ID on the login page and on the "csrf error in login" page are different. The CSRF are equal.
myDBR Team, Key Master
So for some reason, Chrome is losing the session in your setup.
Next step would be to see the Chrome developer tools for network activity to see of there are server redirects that would cause the session to be lost.
You can also try setting:
$mydbr_defaults['cookie']['samesite_on_http'] = 'None';
in user/defaults.php.
--
myDBR Team
apao, Member
Hi,
I tried the setting, it doesn't fix the issue.
Is there any new functionality/setting between 6.5.1 (that was our latest update before yesterday's update) and 6.7.0 that could cause the issue?
If we don't find it, is there any way to rollback to 6.5.1?
myDBR Team, Key Master
Couple of questions that could help us to replicate this.
- What is the PHP version you are using?
- What is the web server you are using?
- Any custom configurations on server (any redirects?)
--
myDBR Team
apao, Member
- PHP version: 7.3.14
- Windows Server 2016 Datacenter
- I can't be 100% sure but I don't think so. We use an alias for the machine instead of the machine name so I've just tried to login using the machine name and I have the same problem (+ a license issue because our myDBR license is linked to the alias of the server but that's not the problem here)
myDBR Team, Key Master
OK,
could you try with following setting in user/defaults.php:
$mydbr_defaults['cookie']['samesite'] = 'Lax';
It may take two login attempts to see if this works for you.
--
myDBR Team
apao, Member
Ok, this works, thanks.
So, was this some kind of anti-CSRF-attack system you added in the latest versions and if so, can we still consider the application as safe with this setting?
myDBR Team, Key Master
Yes,
the samesite Lax limits where cookies are sent. Only to origin site, not on cross-site requests.
Chrome handles the samesite bit differently, hence the problem.
--
myDBR Team
apao, Member
Ok. Thanks for your responsiveness... as usual!
You must log in to post.