Jump to:

10930 Posts in 2613 Topics by 1810 members

All other Modules

SilverStripe Forums » All other Modules » Friendly message at possible CSRF attack

Discuss all other Modules here.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1 2
Go to End
Author Topic: 6916 Views
  • MarijnKampf
    Avatar
    Community Member
    164 Posts

    Friendly message at possible CSRF attack Link to this post

    A client of one of my clients reported a "Security token doesn't match, possible CSRF attack." message when trying to submit a user generated form. As there is nothing wrong with the form, I suspect that their session timed out and hence they received the error.

    I've now added Form::disable_all_security_tokens(); in the _config.php which means that the timeout should no longer occur. However, I'm wondering what potential security holes this leaves open?

    Would it be possible to replace the message "Security token doesn't match, possible CSRF attack." with something friendlier? Ideally a message saying 'Your session times out, click here to go back to your form and submit again'. With a link that takes the user back to the completely filled out form. All they then have to do is re-submit and everyone is happy.

  • Tama
    Avatar
    Community Member
    130 Posts

    Re: Friendly message at possible CSRF attack Link to this post

    I'm also interested in this.

    We've just had a user get in touch about this message.

    Marijn - have you made any progress with this? I don't want to alienate our users but I don't want to open our website to attack.

    Cheers
    Tama

  • MarijnKampf
    Avatar
    Community Member
    164 Posts

    Re: Friendly message at possible CSRF attack Link to this post

    Hi Tama,

    I haven't done anything other than disable the CSRF check. I would have hoped for a bit more detailed discussion on this issue.

    Marijn.

  • quanto
    Avatar
    Community Member
    81 Posts

    Re: Friendly message at possible CSRF attack Link to this post

    I also get the same error. I'm not sending it from the contact-template, but from a (self-made) contactform on another page. Is it possible to send it from there, or could I only send this from the form-specific Layout?

  • JonoM
    Avatar
    Community Member
    103 Posts

    Re: Friendly message at possible CSRF attack Link to this post

    Hello, I'm having this problem too. I don't really understand what a CSRF attack is but I guess I don't want to open my site to one! I have a custom form which is quite long so it causes users a fair amount of stress when it doesn't submit properly, I guess because their session timed out?

    How unsafe is it to disable security tokens for forms?

    Is there a different solution, like could I increase how long a security token / session lasts for somehow? I thought a session was supposed to last until a browser was closed so I don't really understand how this problem is happening. Does putting your computer to sleep or something like that also expire a session?

    Thanks

  • JonoM
    Avatar
    Community Member
    103 Posts

    Re: Friendly message at possible CSRF attack Link to this post

    It seems if cookies aren't enabled in a visitor's browser this error will happen as well - so it's possible that could be the cause of my problems. I've tried to detect cookie support and show or hide the form based on that in case that's the cause (code below).

    ** I'd still like to know if a form expires after a certain amount of time - does anyone know the answer to that? **

    Cheers

    Controller
    ========

    public function CookiesUncertain() {
       return (!Cookie::get('PHPSESSID'));
    }

    ========
    Template
    ========

    <% if CookiesUncertain %>
       <div class="warning">
          <p>We couldn't determine if cookies are enabled in your browser - please <a href="$Link">reload this page</a> so we can confirm. If the message disappears all is well! If you can still see this message then you will either need to enable cookies in your browser or switch to a different browser before you can fill out this form.</p>
       </div>
    <% else %>
       $EnquiryForm
    <% end_if %>

    p.s. haha went to submit this reply and what do you know - got the message 'Security token doesn't match, possible CSRF attack.' Think Marijn's solution sounds ideal, any chance of seeing this happen?

  • JonoM
    Avatar
    Community Member
    103 Posts

    Re: Friendly message at possible CSRF attack Link to this post

    I'm still having reports of users repeatedly getting the "Security token doesn't match, possible CSRF attack." message. Since I've put in a measure to make sure cookies are enabled I can't understand why this is happening or how to fix it.

    Does anyone know what exactly can trigger the "Security token doesn't match, possible CSRF attack" error and how to avoid this? Please?

  • Willr
    Avatar
    Forum Moderator
    5489 Posts

    Re: Friendly message at possible CSRF attack Link to this post

    You can pretty safely disable the security tokens for most forms. We have disabled it for search forms and some other low critical contact forms which have captchas etc. If you are dealing with users who aren't logged in, there isn't much that can happen but not fully aware of all the crazy methods the kids use these days.

    6916 Views
Page: 1 2
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.