processRequest & session management

Brandon Shea

unread,

Feb 13, 2019, 2:22:39 PM2/13/19

to CFWheels

I get the following when trying to use processRequest() in a test:

Enable SessionManagement to use CSRF Token.
csrf.cfm line 118

I'm guessing this function isn't available if I have session management disabled? Is there a way around this? If not, are there any other funcs not available when not using sessions?

Tom King

unread,

Feb 15, 2019, 3:36:05 AM2/15/19

to CFWheels

I think you can mock CSRF by setting application.wheels.csrfStore to something *other* than session or cookie;

If it's session, it'll try and use session, if it's anything else, it will try and set a cookie; but if it's not session and not cookie, it will get to the point where it was "about" to set a cookie and will instead chuck it in the request scope: request[application.wheels.csrfCookieName] etc

So in your unit tests, I'd try changing that application var.

Disclaimer (not actually tried this, but looking at https://github.com/cfwheels/cfwheels/blob/cf8e6da4b9a216b642862e7205345dd5fca34b54/wheels/controller/csrf.cfm and https://github.com/cfwheels/cfwheels/commit/cf8e6da4b9a216b642862e7205345dd5fca34b54 it seems to make sense )

T

Brandon Shea

unread,

Feb 15, 2019, 1:13:37 PM2/15/19

to CFWheels

I get the following when following your suggestion:

The key specified is not a valid key for this encryption: Invalid AES key length.
csrf.cfm line 152

/Users/brandonshea/Sites/ctia-web-services/src/wheels/controller/csrf.cfm line 152
/Users/brandonshea/Sites/ctia-web-services/src/wheels/controller/csrf.cfm line 120
/Users/brandonshea/Sites/ctia-web-services/src/wheels/controller/csrf.cfm line 94
/Users/brandonshea/Sites/ctia-web-services/src/wheels/controller/csrf.cfm line 31
/Users/brandonshea/Sites/ctia-web-services/src/wheels/controller/processing.cfm line 13
/Users/brandonshea/Sites/ctia-web-services/src/wheels/global/misc.cfm line 301
/Users/brandonshea/Sites/ctia-web-services/src/tests/controllers/api/v1/TestRequestsController.cfc line 13

I checked the values passed into Encrypt(),

application.wheels.csrfCookieEncryptionSecretKey: ""

application.wheels.csrfCookieEncryptionAlgorithm: "AES"

application.wheels.csrfCookieEncryptionEncoding: "Base64"

Generating a key for the secret key didn't alleviate the above problem either.

Might be an ignorant suggestion, but might it be possible to skip this step of generating a token if csrfStore is not set to session or cookie? Something like this:

public string function $generateAuthenticityToken() {
    if (application.wheels.csrfStore == "session") {
        return CSRFGenerateToken();
    } else if (application.wheels.csrfStore == "cookie") {
        return $generateCookieAuthenticityToken();
    } else 
        return;
}

I don't know what the consequences of such a change would be, so let me know your thoughts! Thank you.

Reply all

Reply to author

Forward