We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

CSRF Token Invalid caused by router connection | Forum

dave Leader
dave May 6 '19
I am not a system engineer or guru so i thought i would ask on here.  I have a customer who is getting the CSRF token invalid due his local machine being his linux server and he is connecting to his website via the same router.  


So it seems Oxwall thinks he is trying to shadow in behind himself which will trigger the CSRF token when the token does not match.   


We have eliminated everything else, its not a browser issue or a coding issue or a plugin issue.   I can access the site and everything works fine from my end. 


Since he uses a local machine as his linux server, does anyone know the solution for this?   Anyone know or can make suggestions?


Thanks :)


UPDATE:  im thinking maybe using a google proxy for his pc connection would work.

The Forum post is edited by dave May 6 '19
Patricia Zorrilla Leader
Patricia Zorrilla May 6 '19
A very simple solution is to comment on these lines of the file ow_core / form.php


dave Leader
dave May 6 '19
Thanks Patricia, yes easy however i dont like to tell customers to modify core code as they have to keep doing that with ever update (yes i know, what update right lol )   Plus bypassing security code is not my first option.  That is up to the client to do this, thanks for the suggestion, hope you are doing well.  :)
The Forum post is edited by dave May 6 '19
Patricia Zorrilla Leader
Patricia Zorrilla May 6 '19

I give you options ... your choices, hahaha!

At least it can serve as a temporary remedy.

The "security hole" that is created only affects members who are filling out a form, only during that time, if they leave without closing the session, if OxWall does not close it by default, if the hacker knows how and why to attack and OxWall is not used to make bank websites either.

Patricia Zorrilla Leader
Patricia Zorrilla May 6 '19
I'm looking for healthy curiosity this topic in other software to see how they solve it ... Look, look, in FaceBook have this "security hole" wide open.
dave Leader
dave May 6 '19
Hi, yes i understand it is temporary and thanks.  Most everyone solves the CSRF issue the same way, by validating the token.  


What i would be interested in is this specific case where someone is running their own server at home and gets caught in the exception because they use the same router for site connection. Even though it is two sep IP's i still feel that the router or something about the way the connection is established is causing the CSRF issue. 
That would be a good thing to learn why and how to fix it. 

The Forum post is edited by dave May 6 '19
Patricia Zorrilla Leader
Patricia Zorrilla May 7 '19

Maybe changing my "comment" for an "if" that works with the user's registration IP, the public IP of the web and the IP with which it is connected.

Also, I would need to edit the file that I mentioned before.

I leave here some things about IPs with which I am working for a future plugin, in case they serve you or give you some idea


$user = BOL_UserService::getInstance()->findUserById( $userId );

$userRegIp = long2ip($user->joinIp);


$userActIp = ip2long(OW::getRequest()->getRemoteAddress());


public function getIp(){

    if (!empty($_SERVER['HTTP_CLIENT_IP']))

        $ip = $_SERVER['HTTP_CLIENT_IP'];

    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))

        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];

    else

        $ip = $_SERVER['REMOTE_ADDR'];
    return $ip;

}


The Forum post is edited by Patricia Zorrilla May 7 '19
Attachments:
  ip.txt (0Kb)
Oxwall Türkiye
Oxwall Türkiye May 8 '19

Dave, man, I have an idea about this problem,

First of all, the customer may have more than one oxwall usage. This situation occurs when the cache lives in the mess. Continuous cache cleaning should be done to correct this.


The most ideal method to do in this case is the use of two difference themes (the cache shows constant problem clutter for the use of 2 different oxwall) because of the use of cerez.

My suggestion may be to change the ping throw range for the new edit edit.


I'll understand that the change on the kernel will be a recurring problem in the update. There are 2 ways to get rid of this, 1 is a new cerez edit plugin (this may sound a bit ridiculous) 2 is used in addition to the different theme for the oxwall site. Finally, when you visit oxwall based sites that you need to tell your customer, it will clear the cache.

dave Leader
dave May 8 '19
Hi OT, he has two phone lines, one is for phone and one is just for data.  Then he has two different routers, one is for the web and one is for the linux server. 


The one for his web is daisy chained to the server router and both have dif ips.


this is from the customer: 


Okay one phone line for voice and router which is setup with 4 static IP address then from that router to the router I use for my everyday use computer...Then I have 2 Dell Power edge 2950 corporate computers hooked up to the first router which has the 4 static IP addresses.


He said he has run into the same issue trying to share a game he plays. I am thinking that somewhere the two share a common ground which causes the CSRF flag. 




The Forum post is edited by dave May 8 '19
AppXprt
AppXprt May 9 '19
Honestly, it's probably caused by the network configuration, all users coming in on the some shared IP screwing with sessions.
dave Leader
dave May 9 '19
Thats what i told him to check his config, but i dont know if he did or not.  Thanks for that.. :)