CSRF Issue when embeding ICEcoder in Chrome

Question

CSRF Issue when embeding ICEcoder in Chrome

Closed this issue 3 years ago · 2 comments

I got a CSRF issue while embeding icecoder using iframe or embed tag in Google Chrome, but it work fine in firefox

For example i disabled user login, and still got CSRF issue at another place.

<br><br>
		CSRF issue:<br>
		REQUEST: 557873117f0a745ff0d81a46b790a28a<br>
		SESSION: 0d0aab77fd981ed06e93b4b3d6e7598f<br>
		FILE: /lib/get-branch.php<br>
		GET: array (
  'location' =&gt; '|',
  'csrf' =&gt; '557873117f0a745ff0d81a46b790a28a',
)<br>
		POST: array (
)

Google Chrome : Version 85.0.4183.121 (Official Build) (64-bit) (MAC)

Answer 1 · 2020-10-02T15:28:51.000Z

Could this be because the page containing the iFrame is a PHP site and has a session?

ICEcoder has its own session storage system which it saves in its tmp dir. If you have 2 PHP sessions, one is probably in the typical server location and ICEcoder is running its own, so it may have the issue you're describing.

Try commenting out line 26 in lib/settings-common.php to stop it saving session info to its own path:

// ini_set('session.save_path', dirname(__FILE__) . '/../tmp'); // Localise the session files to /tmp

Now that's commented out, close all browser windows, try again and hopefully it won't have any further issues. You may need to comment out other lines between 15 to 34 in the same file and try enabling them to find the issue.

Answer 2 · 2021-07-24T13:43:16.000Z

This is hopefully resolved now as ICEcoder isn't storing session cookie in its /tmp dir, but more crucially, has it's own session ID and so is able to work in isolation to another session cookie that may be present:

a5678eb