CSRF_token_identifier

71 views
Skip to first unread message

Stephen S

unread,
Jan 5, 2019, 9:16:31 AM1/5/19
to ResourceSpace
Apparently with the latest version's implementation of CSRF protection, a plugin of mine is broken. I assumed from reading the single paragraph of documentation on this feature (https://www.resourcespace.com/knowledge-base/systemadmin/csrf) that I could simply add something like "CSRFToken=1" to my query string when doing what I need to, but alas that does not work. I get:

encryption_functions.php line 75: Undefined offset: 1

Then I tried using a function I found in general.php to create the token: `$mycsrftoken = generateCSRFToken(session_id(), 'myformname');` and then append that to the querystring, but I get almost the same error:

encryption_functions.php line 75: Undefined offset: 2

Is there some further documentation on how to implement this? My plugin (which generates PDFs) will work if `$CSRF_enabled = false;` is set in the config btw.

Stephen S

unread,
Jan 5, 2019, 9:32:25 AM1/5/19
to ResourceSpace
I think I have this working, using a different function:

generateFormToken("myformid");

place before submitting the form, I apparently don't even have to append the querystring, it works after simply including this before my form submit.

Hope this helps someone else...

Stephen S

unread,
Jan 5, 2019, 11:06:39 AM1/5/19
to ResourceSpace
Alas, I have a related issue that this particular fix does not seem suited to: elsewhere in my plugin, I am using an ajax call to save a configuration, and this too fails with a CSRF error. Because this is not a traditional form, I am unsure how to pass the token along in my ajax call which is triggered by clicking an element on my setup page. Any suggestions?

Stephen S

unread,
Jan 6, 2019, 9:49:44 AM1/6/19
to ResourceSpace
I am able to generate the CSRFToken and pass it via ajax to my receiving page, I have verified that it is in the post params. BUT for some reason I am still getting the error:

encryption_functions.php line 75: Undefined offset: 2

Does anyone have a clue?

Stephen S

unread,
Jan 6, 2019, 12:58:52 PM1/6/19
to ResourceSpace
So I decided to log what is happening when the authenticate plugin tries to decrypt, and it is very strange:

[06-Jan-2019 17:54:59 GMT] csrf token:
[06-Jan-2019 17:54:59 GMT] user sessionf2fe8011f9f9257c559376de2a48b754
[06-Jan-2019 17:54:59 GMT] csrf token:
[06-Jan-2019 17:54:59 GMT] user sessionf2fe8011f9f9257c559376de2a48b754
[06-Jan-2019 17:54:59 GMT] csrf token:
[06-Jan-2019 17:54:59 GMT] user sessionf2fe8011f9f9257c559376de2a48b754
[06-Jan-2019 17:54:59 GMT] csrf token:
[06-Jan-2019 17:54:59 GMT] csrf token:
[06-Jan-2019 17:54:59 GMT] user sessionf2fe8011f9f9257c559376de2a48b754
[06-Jan-2019 17:55:00 GMT] user sessionf2fe8011f9f9257c559376de2a48b754
[06-Jan-2019 17:55:00 GMT] csrf token:
[06-Jan-2019 17:55:00 GMT] csrf token:
[06-Jan-2019 17:55:00 GMT] user sessionf2fe8011f9f9257c559376de2a48b754
[06-Jan-2019 17:55:00 GMT] user sessionf2fe8011f9f9257c559376de2a48b754
[06-Jan-2019 17:55:00 GMT] csrf token:
[06-Jan-2019 17:55:00 GMT] user sessionf2fe8011f9f9257c559376de2a48b754
[06-Jan-2019 17:55:00 GMT] csrf token:
[06-Jan-2019 17:55:00 GMT] csrf token:
[06-Jan-2019 17:55:01 GMT] user sessionf2fe8011f9f9257c559376de2a48b754
[06-Jan-2019 17:55:01 GMT] user sessionf2fe8011f9f9257c559376de2a48b754
[06-Jan-2019 17:55:10 GMT] csrf token:NTc5OWIyYmYwZmNiNTZhNzM4OTUyZjFhODU3OTQ0NTIzMWQ5N2VlZjVlNTI4YmVjNzRlNGM4MDE4MjFmNjYxM0BA 2OEmQ8OkdEuq5lW/lMPiYRjEqM2o9w9yic3dj4uarMnYtak/yCp1GaSvQweZ1YNm lCQ958gd4hGpNP4n3Yhp6Sz4MMiqdk9l 9N7z819hDYogQTEU8q2YN  3twbvGncIPL r/BdifgPIDeNhF1fyMrUm4oq9of5a9A5xxp5S597b8U5kUMeAB9 w z8ZU83azvN7D9x6MAn m4pIRb19tuDIuDOOE Ew4fYQrAkBAwkeyfDclYiQv5j/WtjvpIo4lOuOU1UEZdL74SmxUgpM=
[06-Jan-2019 17:55:10 GMT] user sessionf2fe8011f9f9257c559376de2a48b754
[06-Jan-2019 17:55:12 GMT] csrf token:
[06-Jan-2019 17:55:13 GMT] user sessionf2fe8011f9f9257c559376de2a48b754
[06-Jan-2019 17:55:23 GMT] csrf token:
[06-Jan-2019 17:55:23 GMT] user sessionf2fe8011f9f9257c559376de2a48b754
[06-Jan-2019 17:55:33 GMT] csrf token:
[06-Jan-2019 17:55:33 GMT] user sessionf2fe8011f9f9257c559376de2a48b754

Why on earth would it be trying to do this so many times? it seems like once for each field in the group, except that only one time is it capturing the csrf token that I have generated.

does no one have any experience with this?
Message has been deleted

Stephen S

unread,
Dec 30, 2020, 1:15:12 PM12/30/20
to ResourceSpace
In case it helps anyone else, I was able to grab the token itself from that generated in my form, and use it in my separate ajax call by adding it to the end of my dataString:

<pre>
var token = jQuery('#pdfconfigwrapper').find('input[name="CSRFToken"]').val();
var dataString = 'mydata=' + JSON.stringify(prejson) + '&CSRFToken=' + token;
</pre>

Then it worked find when this data string was passed in the ajax call.
Reply all
Reply to author
Forward
0 new messages