Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Error: Bad Request, CSRF Token

  • zobbyzobba
  • zobbyzobba's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
9 years 11 months ago #107096 by zobbyzobba
Error: Bad Request, CSRF Token was created by zobbyzobba
Hi everyone,

When we try to do a survey, after clicking the first "Next" button on the Welcome screen, we get the error:

Bad Request

The CRSF token could not be verified.

The request could not be understood by the server due to malformed syntax. blah blah...


I've the last stable version 2.05+ build 140320. This only appear when we're not logged to the admin console.
Using invitation or not have the same result.

There no PHP errors in Apache logs.

I've already read this wiki manual.limesurvey.org/Troubleshooting#Af...d_not_be_verified.27
But don't solve the problem...

I might be a server config stuff, but I don't know what..

Have you any ideas to help me ?

Best Regards
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Away
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
9 years 11 months ago #107101 by DenisChenu
Replied by DenisChenu on topic Error: Bad Request, CSRF Token
Hi,

Did you trye wuth default template ?

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
  • zobbyzobba
  • zobbyzobba's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
9 years 11 months ago #107107 by zobbyzobba
Replied by zobbyzobba on topic Error: Bad Request, CSRF Token
Hello,

Yes, I trying from a fresh install, with basic survey with default template.
Sorry, I've forgot to specify that.

I really lost with this porblem. :(
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Away
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
9 years 11 months ago #107111 by DenisChenu
Replied by DenisChenu on topic Error: Bad Request, CSRF Token
Can you give us a link to test ?

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
  • zobbyzobba
  • zobbyzobba's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
9 years 11 months ago #107112 by zobbyzobba
Replied by zobbyzobba on topic Error: Bad Request, CSRF Token
Yep, you can try this one:
cdsp.sciences-po.fr/limesurvey2/index.ph...s6ckrivweq3a/lang/en

(Link is from the mail invitation)
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Away
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
9 years 11 months ago - 9 years 11 months ago #107113 by DenisChenu
Replied by DenisChenu on topic Error: Bad Request, CSRF Token
Hi,

Strange : the phpadmin session cookie is set for .sciences-po.fr and /
Not for cdsp.sciences-po.fr

I think the problem is here

I never test 'global domain cookie'

Maybe you can trye:
www.yiiframework.com/wiki/135/single-sig...multiple-subdomains/
Code:
'session' => array(
        'savePath' => '/some/writeable/path',
        'cookieMode' => 'allow',
        'cookieParams' => array(
            'path' => '/',
            'domain' => '.sciences-po.fr',
            'httpOnly' => true,
        ),
    ),

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Last edit: 9 years 11 months ago by DenisChenu.
The topic has been locked.
  • zobbyzobba
  • zobbyzobba's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
9 years 11 months ago #107133 by zobbyzobba
Replied by zobbyzobba on topic Error: Bad Request, CSRF Token
Hello,

You've pointed the right problem!

I've set your code in config.php. It seem to be applied in phpinfo, but don't solve the problem.
I've a question, the cookie path should be /limesurvey in my case ?

I put this in config.php:
Code:
 'session' => array(
                        'savePath' => '/my/path/to/limesurvey2/tmp/sessions/',
                        'cookieMode' => 'allow',
                        'cookieParams' => array(
                        'path' => '/limesurvey2',
                        'domain' => 'cdsp.sciences-po.fr',
                        'httpOnly' => true,
                        ),
                ),

I've also try with "/" in path variable.

This don't work :angry:

BUT, I've modified my php.ini with:
session.cookie_path = /limesurvey2
session.cookie_domain = cdsp.sciences-po.fr

And this solved my problem ! Not surveys are all accessible, no CSRF errors.

But the settings is global, and limesurvey is not my only PHP application... the PHP site at / have now PHP Session troubles..

I need to find a way to make this work on local limesurvey site.

I don't know why it don't work with the config in config.php, even though the settings are visible in limesurvey's phpinfo

Thanks for this progress :)

Hope to solve this soon...
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Away
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
9 years 11 months ago - 9 years 11 months ago #107139 by DenisChenu
Replied by DenisChenu on topic Error: Bad Request, CSRF Token
No:
'domain' => 'cdsp.sciences-po.fr',

but
'domain' => '.sciences-po.fr',

I think domain is set somewhere on your apache config. You can't update it in LimeSurvey config. But MAYBE you can set the LimeSurvey config to use the good domain.

Denis
PS: try use:
Code:
'session' => array(
        'cookieMode' => 'allow',
        'cookieParams' => array(
            'path' => '/',
            'domain' => '.sciences-po.fr',
            'httpOnly' => true,
        ),
    ),

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Last edit: 9 years 11 months ago by DenisChenu.
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Away
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
9 years 11 months ago #107140 by DenisChenu
Replied by DenisChenu on topic Error: Bad Request, CSRF Token
Another alternative : use DB session (uncomment the part in config.php file).

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
  • zobbyzobba
  • zobbyzobba's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
9 years 11 months ago #107146 by zobbyzobba
Replied by zobbyzobba on topic Error: Bad Request, CSRF Token
Hi,


I've tried with exactly your code, not work better :(

Also tried with DB sessions, the table lime_sessions is populated, but still the same problem.

The only thing that I've changed and which "solved" my problem is the cookie path, do you think we should look in that way ?
I'm reading docs about this parameter, but all I read is the contrary of what happen on my server :(
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Away
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
9 years 11 months ago - 9 years 11 months ago #107147 by DenisChenu
Replied by DenisChenu on topic Error: Bad Request, CSRF Token
I try myself with:
Code:
php_value session.cookie_domain ".sondages.pro"
But without any other modification, LimeSurvey work great too.

But YII_CRSF cookie is set for limesurvey.sondages.pro.
I think there another restriction for all your cookie, not only your session cookie.

You can set your crsf cookie domain too. Try this in config.php
Code:
'request' => array(
            'csrfCookie' => array( 'domain' => '.sciences-po.fr' )
        ),
(I think you can leave the session cookie to .sciences-po.fr. I don't know what happend for 'Time' cookie.

If you have more information on your server, and why cookie with subdomain can not be set. Maybe you have another Yii elsewhere ?

Denis

PS: last chance: update internal.php
Code:
'enableCsrfValidation'=>false,    // CSRF protection

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Last edit: 9 years 11 months ago by DenisChenu.
The topic has been locked.
  • zobbyzobba
  • zobbyzobba's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
9 years 11 months ago #107236 by zobbyzobba
Replied by zobbyzobba on topic Error: Bad Request, CSRF Token
Hi,

Forcing CSRF domain not help :(

Deactivation of CSRF give me an error page which said that my session is expired, all the time. Even if my cookie cache is cleared.

If you have more information on your server, and why cookie with subdomain can not be set. Maybe you have another Yii elsewhere ?


My server is running Apache 2.2 with PHP 5.5.9, I don't have other Yii applications, but I have a Piwik and a personal PHP site which are working great and use PHP sessions and cookies like Limesurvey.
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose