21302 Posts in 5736 Topics by 2603 members
General Questions
SilverStripe Forums » General Questions » Static Publisher makes UserForm return "SecurityID doesn't match, possible CSRF attack"
General questions about getting started with SilverStripe that don't fit in any of the categories above.
Moderators: martimiz, Howard, Sean, Ryan M., biapar, Willr, Ingo, swaiba, simon_w
|
Page:
1
|
Go to End | |
| Author | Topic: | 1854 Views |
-
Static Publisher makes UserForm return "SecurityID doesn't match, possible CSRF attack"
5 July 2010 at 6:40am
SS 2.4
UserDefinedForm 0.3.0When I enable Static Publisher and try to submit the form, I get redirected to a white page with the warning "SecurityID doesn't match, possible CSRF attack." and the form doesn't submit.
I'd really like to use Static Publisher, so any thoughts on how to fix this would be much appreciated.
If there isn't a fix, can I easily exclude that form page from being cached when using Static Publisher?
Thanks
-
Re: Static Publisher makes UserForm return "SecurityID doesn't match, possible CSRF attack"
5 July 2010 at 6:56am
Is the missing "value" on the Static page the issue?
Dynamic version of UserDefinedForm:
<input class="hidden nolabel" type="hidden" id="Form_Form_Referrer" name="Referrer" value="http://blabla.com/silverstripe/locations/finished?referrer=http%3A%2F%2Fblabla.com%2Fsilverstripe%2F" />
Static version:
<input class="hidden nolabel" type="hidden" id="Form_Form_Referrer" name="Referrer" value="" />
-
Re: Static Publisher makes UserForm return "SecurityID doesn't match, possible CSRF attack"
5 July 2010 at 9:17am
I would disable Static Publisher (which I think you need to do with any forms anyways). You can add an exception in the allPagesToCache() function to remove pages with the classname 'UserDefinedForm'.
-
Re: Static Publisher makes UserForm return "SecurityID doesn't match, possible CSRF attack"
5 July 2010 at 10:22am
..."Is the missing "value" on the Static page the issue?"...
Not exactly, it's the Form_Form_SecurityID hidden input, see [url=http://doc.silverstripe.org/form#form_security]http://doc.silverstripe.org/form#form_security
While we're on the subject ... when a form post fails this CSRF check it raises a http 400 error but does not seem to use the "400-Bad Request" error page I have created in the CMS, should it? (there is an error-400.html in the assets folder)
Cheers
Rich
-
Re: Static Publisher makes UserForm return "SecurityID doesn't match, possible CSRF attack"
6 July 2010 at 5:31am
Thanks for the help!
I got that to work for my UserDefinedForm page, but I do have a simple form on every page. So I guess I'll look into Partial Caching instead of Static Publisher.
-
Re: Static Publisher makes UserForm return "SecurityID doesn't match, possible CSRF attack"
6 July 2010 at 9:58am
Or you could disable security for just that form
$myForm->disableSecurityToken();
All depends on the CSRF risk of the particular form.I haven't tried partial caching myself but am so happy with static caching that I'll try to make that work wherever I can.
| 1854 Views | ||
|
Page:
1
|
Go to Top |
