Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BAD CSRF TOKEN #172

Open
v012345 opened this issue Sep 11, 2021 · 7 comments
Open

BAD CSRF TOKEN #172

v012345 opened this issue Sep 11, 2021 · 7 comments

Comments

@v012345
Copy link

v012345 commented Sep 11, 2021

when I delete a key, I will be redirected to a 404 page which path is "http://myDomian/bad%20csrf%20token".
@asmc
Copy link

asmc commented Sep 12, 2021

when I delete a key, I will be redirected to a 404 page which path is "http://myDomian/bad%20csrf%20token".

me too

@asmc
Copy link

asmc commented Sep 12, 2021

also, if you have change your phpRedisAdmin/ directory to other things, will be redirect to "bad csrf token",,,

@asmc
Copy link

asmc commented Sep 12, 2021

and view frame can not show any contents, because of "header('X-Frame-Options: DENY');", I have to add "Header always set X-Frame-Options "sameorigin"" to .htaccess

@erikdubbelboer
Copy link
Owner

My bad. I have just released a fix for sameorigin. Please upgrade to 1.16.1 and try again.

I don't really use this project anymore, but there were a bunch of security issues reported that I tried to fix. I tested it locally and everything worked fine. But it seems like with other setups things break.

For the bad csrf token error. What version of PHP are you using and what does your session setup look like?
The CSRF code uses PHP sessions.
It does check session_status() !== PHP_SESSION_DISABLED, but I guess something else goes wrong?

@v012345
Copy link
Author

v012345 commented Sep 12, 2021

My bad. I have just released a fix for sameorigin. Please upgrade to 1.16.1 and try again.

I don't really use this project anymore, but there were a bunch of security issues reported that I tried to fix. I tested it locally and everything worked fine. But it seems like with other setups things break.

For the bad csrf token error. What version of PHP are you using and what does your session setup look like?
The CSRF code uses PHP sessions.
It does check session_status() !== PHP_SESSION_DISABLED, but I guess something else goes wrong?

I use PHP7.4.
I have updated it to 1.16.1.
But it doesn't work.
So I execute chmod -R 777 phpRedisAdmin, MY GOD, it works.
Later I changed the permission back to 755, it still works.
So I guess the reason is PHP doesn't have the permission to create session files on my server.
And I want to where PHP saves the sessions.

@erikdubbelboer
Copy link
Owner

That depends on how you have configured sessions on your server.
See: https://www.php.net/manual/en/session.configuration.php#ini.session.save-path

@KarelWintersky
Copy link
Contributor

@v012345 , Check session.cookie_path value at your php.ini.

It must contain / or be commented

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@erikdubbelboer @KarelWintersky @asmc @v012345