Bug #252
A Cross Site Request Forgery attempt has been detected; cannot continue with the required action.
| Status: | New | Start date: | 25 Jul 2013 | |
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - |
Description
Hi,
After the redirect to the custom login.php, I return to the index.php.
Not logged in and the following error displays:
"A Cross Site Request Forgery attempt has been detected; cannot continue with the required action."
I understood from kayako that the made some change in that area in the code.
In v4.53 it all worked, after upgrading to 4.58 it broke down.
History
Updated by Farhaz Hofman over 11 years ago
Gary McGrath supplied a work around in the forum topic.
http://forums.kayako.com/threads/active-directory-sso-with-pass-thru-enabled.28951/page-6#post-159894
A work around to getting this working in the meantime for versions 4.56+
file: class.Controller_User.php
location: __swift\apps\base\client
In the function Login
comment out the CSRF check:
if (!in_array('header (Default)', SWIFT_Template::GetUpgradeRevertList()) && (!isset($_POST['_csrfhash']) || !SWIFT_Session::CheckCSRFHash($_POST['_csrfhash'])))
{
$this->UserInterface->Error(true, $this->Language->Get('msgcsrfhash'));
$this->Load->Controller('Default')->Load->Index();
return false;
}
e.g. change to
/* if (!in_array('header (Default)', SWIFT_Template::GetUpgradeRevertList()) && (!isset($_POST['_csrfhash']) || !SWIFT_Session::CheckCSRFHash($_POST['_csrfhash'])))
{
$this->UserInterface->Error(true, $this->Language->Get('msgcsrfhash'));
$this->Load->Controller('Default')->Load->Index();
return false;
}*/
Updated by Michael Smith over 11 years ago
We had successfully implemented this workaround in 4.61.
After upgrading to 4.64 the workaround was still needed, and in addition it appears there has been an additional CSRF check included in the ticket creation functionality.
In order to get the error to stop appearing for users when they attempted to submit a ticket we had to comment out the CSRF check in the file:
__apps\tickets\client\class.Controller_Submit.php
replacing:
if (!in_array('submitticket_form (Default)', SWIFT_Template::GetUpgradeRevertList()) && (!isset($_POST['_csrfhash']) || !SWIFT_Session::CheckCSRFHash($_POST['_csrfhash']))) {
$this->UserInterface->Error(true, $this->Language->Get('msgcsrfhash'));
$this->Load->RenderForm();
return false;
}
with:
/* if (!in_array('submitticket_form (Default)', SWIFT_Template::GetUpgradeRevertList()) && (!isset($_POST['_csrfhash']) || !SWIFT_Session::CheckCSRFHash($_POST['_csrfhash']))) {
$this->UserInterface->Error(true, $this->Language->Get('msgcsrfhash'));
$this->Load->RenderForm();
return false;
}
*/