- changed status to resolved
After logout, login causes wrong csrf token message
After logging out, trying to login again causes this message: CSRF token is wrong - please try to login again
The reason is that the CSRF token is cleared when logging out. It would be necessary to directly create the new one.
Additionally, CSRF token handling maybe should be moved to the Authorization class.
Comments (6)
-
reporter -
Unfortunately, I still get this Error-Message.
-
reporter Which version are you using? The fix is not yet in the stable release 1.9.7.1, only in the development version 1.9.8-dev, which you can get here: http://www.phpliteadmin.org/phpliteadmin-dev.zip
-
Well, I was actually using 1.9.6 - it worked. Then I encountered a bug by inserting contents into a table. Afterwards I tried to update to 1.9.7.1 -> CSRF token Error.
Now I tried 1.9.8-dev and I still get that CSRF token error.
Edit: if I comment out Line 4215 - 4223, then it works.
-
reporter Well, 1.9.6 did not have any protection against CSRF attacks and commenting out the lines mentioned, you effectively remove the CSRF protection. Of course then it "works", but it is insecure. Which error do you get (CSRF missing or wrong?) and in which situations? Only after logout, as described in this issue? If you reload the page after logout and then try to login, does it work?
Edit: Have you stopped working with phpLiteAdmin for some time and then went back to it and then the error occurs? I can imagine it might happen when the session times out. I will see what to do about this. But it's a different issue (triggered by session timeout not logout).
-
reporter In case you are using the development version, please read: https://www.phpliteadmin.org/2017/08/17/security-alert-1-9-8-dev/
- Log in to comment
#312→ <<cset 8f647a7e67c9>>