Error: Bad Request, CSRF Token

More
3 years 6 months ago #107096 by zobbyzobba
zobbyzobba created the topic: Error: Bad Request, CSRF Token
Hi everyone,

When we try to do a survey, after clicking the first "Next" button on the Welcome screen, we get the error:

Bad Request

The CRSF token could not be verified.

The request could not be understood by the server due to malformed syntax. blah blah...


I've the last stable version 2.05+ build 140320. This only appear when we're not logged to the admin console.
Using invitation or not have the same result.

There no PHP errors in Apache logs.

I've already read this wiki manual.limesurvey.org/Troubleshooting#Af...d_not_be_verified.27
But don't solve the problem...

I might be a server config stuff, but I don't know what..

Have you any ideas to help me ?

Best Regards

Please Log in to join the conversation.

More
3 years 6 months ago #107101 by DenisChenu
DenisChenu replied the topic: Error: Bad Request, CSRF Token
Hi,

Did you trye wuth default template ?

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Please Log in to join the conversation.

More
3 years 6 months ago #107107 by zobbyzobba
zobbyzobba replied the topic: Error: Bad Request, CSRF Token
Hello,

Yes, I trying from a fresh install, with basic survey with default template.
Sorry, I've forgot to specify that.

I really lost with this porblem. :(

Please Log in to join the conversation.

More
3 years 6 months ago #107111 by DenisChenu
DenisChenu replied the topic: Error: Bad Request, CSRF Token
Can you give us a link to test ?

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Please Log in to join the conversation.

More
3 years 6 months ago #107112 by zobbyzobba
zobbyzobba replied the topic: Error: Bad Request, CSRF Token
Yep, you can try this one:
cdsp.sciences-po.fr/limesurvey2/index.ph...s6ckrivweq3a/lang/en

(Link is from the mail invitation)

Please Log in to join the conversation.

More
3 years 6 months ago - 3 years 6 months ago #107113 by DenisChenu
DenisChenu replied the topic: Error: Bad Request, CSRF Token
Hi,

Strange : the phpadmin session cookie is set for .sciences-po.fr and /
Not for cdsp.sciences-po.fr

I think the problem is here

I never test 'global domain cookie'

Maybe you can trye:
www.yiiframework.com/wiki/135/single-sig...multiple-subdomains/
'session' => array(
        'savePath' => '/some/writeable/path',
        'cookieMode' => 'allow',
        'cookieParams' => array(
            'path' => '/',
            'domain' => '.sciences-po.fr',
            'httpOnly' => true,
        ),
    ),

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .
Last Edit: 3 years 6 months ago by DenisChenu.

Please Log in to join the conversation.

More
3 years 6 months ago #107133 by zobbyzobba
zobbyzobba replied the topic: Error: Bad Request, CSRF Token
Hello,

You've pointed the right problem!

I've set your code in config.php. It seem to be applied in phpinfo, but don't solve the problem.
I've a question, the cookie path should be /limesurvey in my case ?

I put this in config.php:
 'session' => array(
                        'savePath' => '/my/path/to/limesurvey2/tmp/sessions/',
                        'cookieMode' => 'allow',
                        'cookieParams' => array(
                        'path' => '/limesurvey2',
                        'domain' => 'cdsp.sciences-po.fr',
                        'httpOnly' => true,
                        ),
                ),

I've also try with "/" in path variable.

This don't work :angry:

BUT, I've modified my php.ini with:
session.cookie_path = /limesurvey2
session.cookie_domain = cdsp.sciences-po.fr

And this solved my problem ! Not surveys are all accessible, no CSRF errors.

But the settings is global, and limesurvey is not my only PHP application... the PHP site at / have now PHP Session troubles..

I need to find a way to make this work on local limesurvey site.

I don't know why it don't work with the config in config.php, even though the settings are visible in limesurvey's phpinfo

Thanks for this progress :)

Hope to solve this soon...

Please Log in to join the conversation.

More
3 years 6 months ago - 3 years 6 months ago #107139 by DenisChenu
DenisChenu replied the topic: Error: Bad Request, CSRF Token
No:
'domain' => 'cdsp.sciences-po.fr',

but
'domain' => '.sciences-po.fr',

I think domain is set somewhere on your apache config. You can't update it in LimeSurvey config. But MAYBE you can set the LimeSurvey config to use the good domain.

Denis
PS: try use:
'session' => array(
        'cookieMode' => 'allow',
        'cookieParams' => array(
            'path' => '/',
            'domain' => '.sciences-po.fr',
            'httpOnly' => true,
        ),
    ),

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .
Last Edit: 3 years 6 months ago by DenisChenu.

Please Log in to join the conversation.

More
3 years 6 months ago #107140 by DenisChenu
DenisChenu replied the topic: Error: Bad Request, CSRF Token
Another alternative : use DB session (uncomment the part in config.php file).

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Please Log in to join the conversation.

More
3 years 6 months ago #107146 by zobbyzobba
zobbyzobba replied the topic: Error: Bad Request, CSRF Token
Hi,


I've tried with exactly your code, not work better :(

Also tried with DB sessions, the table lime_sessions is populated, but still the same problem.

The only thing that I've changed and which "solved" my problem is the cookie path, do you think we should look in that way ?
I'm reading docs about this parameter, but all I read is the contrary of what happen on my server :(

Please Log in to join the conversation.

More
3 years 6 months ago - 3 years 6 months ago #107147 by DenisChenu
DenisChenu replied the topic: Error: Bad Request, CSRF Token
I try myself with:
php_value session.cookie_domain ".sondages.pro"
But without any other modification, LimeSurvey work great too.

But YII_CRSF cookie is set for limesurvey.sondages.pro.
I think there another restriction for all your cookie, not only your session cookie.

You can set your crsf cookie domain too. Try this in config.php
'request' => array(
            'csrfCookie' => array( 'domain' => '.sciences-po.fr' )
        ),
(I think you can leave the session cookie to .sciences-po.fr. I don't know what happend for 'Time' cookie.

If you have more information on your server, and why cookie with subdomain can not be set. Maybe you have another Yii elsewhere ?

Denis

PS: last chance: update internal.php
'enableCsrfValidation'=>false,    // CSRF protection

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .
Last Edit: 3 years 6 months ago by DenisChenu.

Please Log in to join the conversation.

More
3 years 6 months ago #107236 by zobbyzobba
zobbyzobba replied the topic: Error: Bad Request, CSRF Token
Hi,

Forcing CSRF domain not help :(

Deactivation of CSRF give me an error page which said that my session is expired, all the time. Even if my cookie cache is cleared.

If you have more information on your server, and why cookie with subdomain can not be set. Maybe you have another Yii elsewhere ?


My server is running Apache 2.2 with PHP 5.5.9, I don't have other Yii applications, but I have a Piwik and a personal PHP site which are working great and use PHP sessions and cookies like Limesurvey.

Please Log in to join the conversation.

More
3 years 6 months ago #107320 by DenisChenu
DenisChenu replied the topic: Error: Bad Request, CSRF Token
I test with 2installation and cookie domaine .sondages.pro : this break all system.

Can you test adding this in your .htaccess:
php_value session.cookie_domain "cdsp.sciences-po.fr"

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Please Log in to join the conversation.

More
3 years 6 months ago - 3 years 6 months ago #107335 by zobbyzobba
zobbyzobba replied the topic: Error: Bad Request, CSRF Token
Hi Denis,

Thanks for the answer!

Unfortunately, this don't solve the problem :unsure:
in /limesurvey/path/.htaccess

This is the right .htaccess?

Moreover, the domain cookie not change in phpinfo() with this setting.
Should I remove what I've put in config.php if I put this in .htaccess?

Best Regards,
Last Edit: 3 years 6 months ago by zobbyzobba.

Please Log in to join the conversation.

More
3 years 6 months ago - 3 years 6 months ago #107342 by DenisChenu
DenisChenu replied the topic: Error: Bad Request, CSRF Token
Hi,

Not sure , testing some system, and you don't have same system than me ....
Can not find a real fix here ....

PS: did you have suhosin on this server ? If yes : deactivate it. (simulation on)

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .
Last Edit: 3 years 6 months ago by DenisChenu.

Please Log in to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now