erikdubbelboer/phpRedisAdmin

BAD CSRF TOKEN

v012345 opened this issue · 7 comments

when I delete a key, I will be redirected to a 404 page which path is "http://myDomian/bad%20csrf%20token".

asmc commented

when I delete a key, I will be redirected to a 404 page which path is "http://myDomian/bad%20csrf%20token".

me too

asmc commented

also, if you have change your phpRedisAdmin/ directory to other things, will be redirect to "bad csrf token",,,

asmc commented

and view frame can not show any contents, because of "header('X-Frame-Options: DENY');", I have to add "Header always set X-Frame-Options "sameorigin"" to .htaccess

My bad. I have just released a fix for sameorigin. Please upgrade to 1.16.1 and try again.

I don't really use this project anymore, but there were a bunch of security issues reported that I tried to fix. I tested it locally and everything worked fine. But it seems like with other setups things break.

For the bad csrf token error. What version of PHP are you using and what does your session setup look like?
The CSRF code uses PHP sessions.
It does check session_status() !== PHP_SESSION_DISABLED, but I guess something else goes wrong?

My bad. I have just released a fix for sameorigin. Please upgrade to 1.16.1 and try again.

I don't really use this project anymore, but there were a bunch of security issues reported that I tried to fix. I tested it locally and everything worked fine. But it seems like with other setups things break.

For the bad csrf token error. What version of PHP are you using and what does your session setup look like?
The CSRF code uses PHP sessions.
It does check session_status() !== PHP_SESSION_DISABLED, but I guess something else goes wrong?

I use PHP7.4.
I have updated it to 1.16.1.
But it doesn't work.
So I execute chmod -R 777 phpRedisAdmin, MY GOD, it works.
Later I changed the permission back to 755, it still works.
So I guess the reason is PHP doesn't have the permission to create session files on my server.
And I want to where PHP saves the sessions.

That depends on how you have configured sessions on your server.
See: https://www.php.net/manual/en/session.configuration.php#ini.session.save-path

@v012345 , Check session.cookie_path value at your php.ini.

It must contain / or be commented