CSRF Issue when embeding ICEcoder in Chrome
Closed this issue · 2 comments
I got a CSRF issue while embeding icecoder using iframe or embed tag in Google Chrome, but it work fine in firefox
For example i disabled user login, and still got CSRF issue at another place.
<br><br>
CSRF issue:<br>
REQUEST: 557873117f0a745ff0d81a46b790a28a<br>
SESSION: 0d0aab77fd981ed06e93b4b3d6e7598f<br>
FILE: /lib/get-branch.php<br>
GET: array (
'location' => '|',
'csrf' => '557873117f0a745ff0d81a46b790a28a',
)<br>
POST: array (
)
Google Chrome : Version 85.0.4183.121 (Official Build) (64-bit) (MAC)
Could this be because the page containing the iFrame is a PHP site and has a session?
ICEcoder has its own session storage system which it saves in its tmp
dir. If you have 2 PHP sessions, one is probably in the typical server location and ICEcoder is running its own, so it may have the issue you're describing.
Try commenting out line 26 in lib/settings-common.php
to stop it saving session info to its own path:
// ini_set('session.save_path', dirname(__FILE__) . '/../tmp'); // Localise the session files to /tmp
Now that's commented out, close all browser windows, try again and hopefully it won't have any further issues. You may need to comment out other lines between 15 to 34 in the same file and try enabling them to find the issue.