Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Error: Bad Request, CSRF Token

Error: Bad Request, CSRF Token 1 year 10 months ago #107096

  • zobbyzobba
  • zobbyzobba's Avatar
  • Offline
  • Fresh Lemon
  • Posts: 11
  • Karma: 0
Hi everyone,

When we try to do a survey, after clicking the first "Next" button on the Welcome screen, we get the error:

Bad Request

The CRSF token could not be verified.

The request could not be understood by the server due to malformed syntax. blah blah...


I've the last stable version 2.05+ build 140320. This only appear when we're not logged to the admin console.
Using invitation or not have the same result.

There no PHP errors in Apache logs.

I've already read this wiki manual.limesurvey.org/Troubleshooting#Af...d_not_be_verified.27
But don't solve the problem...

I might be a server config stuff, but I don't know what..

Have you any ideas to help me ?

Best Regards
The administrator has disabled public write access.

Error: Bad Request, CSRF Token 1 year 10 months ago #107101

  • DenisChenu
  • DenisChenu's Avatar
  • Online
  • Moderator Lime
  • Posts: 8194
  • Thank you received: 1117
  • Karma: 331
Hi,

Did you trye wuth default template ?
The administrator has disabled public write access.

Error: Bad Request, CSRF Token 1 year 10 months ago #107107

  • zobbyzobba
  • zobbyzobba's Avatar
  • Offline
  • Fresh Lemon
  • Posts: 11
  • Karma: 0
Hello,

Yes, I trying from a fresh install, with basic survey with default template.
Sorry, I've forgot to specify that.

I really lost with this porblem. :(
The administrator has disabled public write access.

Error: Bad Request, CSRF Token 1 year 10 months ago #107111

  • DenisChenu
  • DenisChenu's Avatar
  • Online
  • Moderator Lime
  • Posts: 8194
  • Thank you received: 1117
  • Karma: 331
Can you give us a link to test ?
The administrator has disabled public write access.

Error: Bad Request, CSRF Token 1 year 10 months ago #107112

  • zobbyzobba
  • zobbyzobba's Avatar
  • Offline
  • Fresh Lemon
  • Posts: 11
  • Karma: 0
Yep, you can try this one:
cdsp.sciences-po.fr/limesurvey2/index.ph...s6ckrivweq3a/lang/en

(Link is from the mail invitation)
The administrator has disabled public write access.

Error: Bad Request, CSRF Token 1 year 10 months ago #107113

  • DenisChenu
  • DenisChenu's Avatar
  • Online
  • Moderator Lime
  • Posts: 8194
  • Thank you received: 1117
  • Karma: 331
Hi,

Strange : the phpadmin session cookie is set for .sciences-po.fr and /
Not for cdsp.sciences-po.fr

I think the problem is here

I never test 'global domain cookie'

Maybe you can trye:
www.yiiframework.com/wiki/135/single-sig...multiple-subdomains/
'session' => array(
        'savePath' => '/some/writeable/path',
        'cookieMode' => 'allow',
        'cookieParams' => array(
            'path' => '/',
            'domain' => '.sciences-po.fr',
            'httpOnly' => true,
        ),
    ),
Last Edit: 1 year 10 months ago by DenisChenu.
The administrator has disabled public write access.

Error: Bad Request, CSRF Token 1 year 10 months ago #107133

  • zobbyzobba
  • zobbyzobba's Avatar
  • Offline
  • Fresh Lemon
  • Posts: 11
  • Karma: 0
Hello,

You've pointed the right problem!

I've set your code in config.php. It seem to be applied in phpinfo, but don't solve the problem.
I've a question, the cookie path should be /limesurvey in my case ?

I put this in config.php:
 'session' => array(
                        'savePath' => '/my/path/to/limesurvey2/tmp/sessions/',
                        'cookieMode' => 'allow',
                        'cookieParams' => array(
                        'path' => '/limesurvey2',
                        'domain' => 'cdsp.sciences-po.fr',
                        'httpOnly' => true,
                        ),
                ),

I've also try with "/" in path variable.

This don't work :angry:

BUT, I've modified my php.ini with:
session.cookie_path = /limesurvey2
session.cookie_domain = cdsp.sciences-po.fr

And this solved my problem ! Not surveys are all accessible, no CSRF errors.

But the settings is global, and limesurvey is not my only PHP application... the PHP site at / have now PHP Session troubles..

I need to find a way to make this work on local limesurvey site.

I don't know why it don't work with the config in config.php, even though the settings are visible in limesurvey's phpinfo

Thanks for this progress :)

Hope to solve this soon...
The administrator has disabled public write access.

Error: Bad Request, CSRF Token 1 year 10 months ago #107139

  • DenisChenu
  • DenisChenu's Avatar
  • Online
  • Moderator Lime
  • Posts: 8194
  • Thank you received: 1117
  • Karma: 331
No:
'domain' => 'cdsp.sciences-po.fr',

but
'domain' => '.sciences-po.fr',

I think domain is set somewhere on your apache config. You can't update it in LimeSurvey config. But MAYBE you can set the LimeSurvey config to use the good domain.

Denis
PS: try use:
'session' => array(
        'cookieMode' => 'allow',
        'cookieParams' => array(
            'path' => '/',
            'domain' => '.sciences-po.fr',
            'httpOnly' => true,
        ),
    ),
Last Edit: 1 year 10 months ago by DenisChenu.
The administrator has disabled public write access.

Error: Bad Request, CSRF Token 1 year 10 months ago #107140

  • DenisChenu
  • DenisChenu's Avatar
  • Online
  • Moderator Lime
  • Posts: 8194
  • Thank you received: 1117
  • Karma: 331
Another alternative : use DB session (uncomment the part in config.php file).
The administrator has disabled public write access.

Error: Bad Request, CSRF Token 1 year 10 months ago #107146

  • zobbyzobba
  • zobbyzobba's Avatar
  • Offline
  • Fresh Lemon
  • Posts: 11
  • Karma: 0
Hi,


I've tried with exactly your code, not work better :(

Also tried with DB sessions, the table lime_sessions is populated, but still the same problem.

The only thing that I've changed and which "solved" my problem is the cookie path, do you think we should look in that way ?
I'm reading docs about this parameter, but all I read is the contrary of what happen on my server :(
The administrator has disabled public write access.

Error: Bad Request, CSRF Token 1 year 10 months ago #107147

  • DenisChenu
  • DenisChenu's Avatar
  • Online
  • Moderator Lime
  • Posts: 8194
  • Thank you received: 1117
  • Karma: 331
I try myself with:
php_value session.cookie_domain ".sondages.pro"
But without any other modification, LimeSurvey work great too.

But YII_CRSF cookie is set for limesurvey.sondages.pro.
I think there another restriction for all your cookie, not only your session cookie.

You can set your crsf cookie domain too. Try this in config.php
'request' => array(
            'csrfCookie' => array( 'domain' => '.sciences-po.fr' )
        ),
(I think you can leave the session cookie to .sciences-po.fr. I don't know what happend for 'Time' cookie.

If you have more information on your server, and why cookie with subdomain can not be set. Maybe you have another Yii elsewhere ?

Denis

PS: last chance: update internal.php
'enableCsrfValidation'=>false,    // CSRF protection
Last Edit: 1 year 10 months ago by DenisChenu.
The administrator has disabled public write access.

Error: Bad Request, CSRF Token 1 year 10 months ago #107236

  • zobbyzobba
  • zobbyzobba's Avatar
  • Offline
  • Fresh Lemon
  • Posts: 11
  • Karma: 0
Hi,

Forcing CSRF domain not help :(

Deactivation of CSRF give me an error page which said that my session is expired, all the time. Even if my cookie cache is cleared.

If you have more information on your server, and why cookie with subdomain can not be set. Maybe you have another Yii elsewhere ?

My server is running Apache 2.2 with PHP 5.5.9, I don't have other Yii applications, but I have a Piwik and a personal PHP site which are working great and use PHP sessions and cookies like Limesurvey.
The administrator has disabled public write access.

Error: Bad Request, CSRF Token 1 year 9 months ago #107320

  • DenisChenu
  • DenisChenu's Avatar
  • Online
  • Moderator Lime
  • Posts: 8194
  • Thank you received: 1117
  • Karma: 331
I test with 2installation and cookie domaine .sondages.pro : this break all system.

Can you test adding this in your .htaccess:
php_value session.cookie_domain "cdsp.sciences-po.fr"
The administrator has disabled public write access.

Error: Bad Request, CSRF Token 1 year 9 months ago #107335

  • zobbyzobba
  • zobbyzobba's Avatar
  • Offline
  • Fresh Lemon
  • Posts: 11
  • Karma: 0
Hi Denis,

Thanks for the answer!

Unfortunately, this don't solve the problem :unsure:
in /limesurvey/path/.htaccess

This is the right .htaccess?

Moreover, the domain cookie not change in phpinfo() with this setting.
Should I remove what I've put in config.php if I put this in .htaccess?

Best Regards,
Last Edit: 1 year 9 months ago by zobbyzobba.
The administrator has disabled public write access.

Error: Bad Request, CSRF Token 1 year 9 months ago #107342

  • DenisChenu
  • DenisChenu's Avatar
  • Online
  • Moderator Lime
  • Posts: 8194
  • Thank you received: 1117
  • Karma: 331
Hi,

Not sure , testing some system, and you don't have same system than me ....
Can not find a real fix here ....

PS: did you have suhosin on this server ? If yes : deactivate it. (simulation on)
Last Edit: 1 year 9 months ago by DenisChenu.
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Moderators: ITEd
Time to create page: 0.368 seconds