After logout, login causes wrong csrf token message

Issue #312 resolved
phpLiteAdmin repo owner created an issue

After logging out, trying to login again causes this message: CSRF token is wrong - please try to login again

The reason is that the CSRF token is cleared when logging out. It would be necessary to directly create the new one.

Additionally, CSRF token handling maybe should be moved to the Authorization class.

Comments (6)

  1. phpLiteAdmin reporter
    • Moved CSRF token generation/handling to Authorization class
    • on logout, a new token is now generated that secures the login form displayed after logout. Before, the first login attempt after logout failed due to missing token. -> This fixes issue #312

    → <<cset 8f647a7e67c9>>

  2. Andreas Urben

    Well, I was actually using 1.9.6 - it worked. Then I encountered a bug by inserting contents into a table. Afterwards I tried to update to 1.9.7.1 -> CSRF token Error.

    Now I tried 1.9.8-dev and I still get that CSRF token error.

    Edit: if I comment out Line 4215 - 4223, then it works.

  3. phpLiteAdmin reporter

    Well, 1.9.6 did not have any protection against CSRF attacks and commenting out the lines mentioned, you effectively remove the CSRF protection. Of course then it "works", but it is insecure. Which error do you get (CSRF missing or wrong?) and in which situations? Only after logout, as described in this issue? If you reload the page after logout and then try to login, does it work?

    Edit: Have you stopped working with phpLiteAdmin for some time and then went back to it and then the error occurs? I can imagine it might happen when the session times out. I will see what to do about this. But it's a different issue (triggered by session timeout not logout).

  4. Log in to comment