CakePHP 3.0.4 and Invalid CSRF token

0
votes

I'm having a problem with CSRF component since I've updated to the last 3.0.4 CakePHP version yesterday. Looks like there is a security fix for previous versions so I decided to upgrade as soon as possibile, but since then I'm having this error when I try to login into my app:

Invalid CSRF token.

Strangely enough, I have seen a funny behavior while trying to figure out what is happening:

1) I went to my AppController.php, set the secure option to Csrf component to false, then I login -> it works

2) Set that option to true and login again -> it works

3) In (chrome) incognito mode, try to login from there -> it fails (invalid CSRF token)

4) After the incognito failure, try to login again from -not incognito mode- -> it works

Looking at the documentation I thought that enabling it and using the standard Form helper would be enough... do I need something else? Everything was working correctly with the 3.0.2 version I was using before.

1
csrfcakephp-3.0
I just baked a new app and did this, but could not reproduce your error. What do you think could be different? - José Lorenzo Rodríguez
Actually I really have no idea. If this can help, I'm developing this application since RC1 and I have continuously updated it until now... do you think it could be something related to one of my config files? - ToX 82
I've baked a new app using 3.0.4, merging my src and webroot folders but I'm facing the same problem. Anyway, the _csrfToken looks correctly set in DebugKit's Request panel... This is the whole error: Invalid CSRF token. Errore: The requested address '/sviluppo/users/login' was not found on this server. - ToX 82
possibly a cookie named csrfToken is not set or not correctly sent back to the server. - arahaya
Maybe you are in the right direction. Actually, there is no cookies called csrfToken when csrf's secure option is set to true. If I set it to false the cookie is there. - ToX 82

1 Answers

2
votes

The secure flag in t Csrf component means that the cookie will only be set if using a https (secure) connection. If the form is not generated and submitted over https, then it will block the attempt