I have application written in Symfony 2.8.11 and FosUserBundle 2.0.0-beta1. User can connect to the site via VPN or basic auth. Mostly they use Internet Explorer 11 on Windows 7. Some of them are experiencing a Invalid CSRF token issue in random form inside site. The problem is that users can't submit form, even after refresh the page a few times.
I suspect that the problem is caused by the continuous refreshing of the session, from logs:
{
"created":1483610056,
"lastUsed":1483610056
} ["csrf","session_times"] []
Further, I suspect that it is caused by authentication by remember me token (every issue has been authenticated by that token):
[2017-01-05 10:54:16] security.DEBUG: Remember-me cookie detected. [] []
[2017-01-05 10:54:16] security.INFO: Remember-me cookie accepted. [] []
[2017-01-05 10:54:16] security.DEBUG: Populated the token storage with a remember-me token. [] []
My security config:
...
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
# if you are using Symfony < 2.8, use the following config instead:
# csrf_provider: form.csrf_provider
logout: true
anonymous: true
remember_me:
name: "%session_cookie_remember_name%"
domain: "%session_cookie_domain%"
key: "%secret%"
lifetime: 604800
path: /
switch_user: true
...
Is it possible that the session restarts every time page is load and remember me authenticate it? Is it bug or correct behavior? How can I get rid of the csrf invalid token issue?
Full logs from one page request when the issue arrived:
[2017-01-05 10:54:16] request.INFO: Matched route "fos_user_profile_show".
{
"route_parameters":{
"_controller":"AppBundle\\Controller\\ProfileController::showAction",
"lang":"pl",
"_route":"fos_user_profile_show"
},
"request_uri":"..."
} []
[2017-01-05 10:54:16] security.DEBUG: Remember-me cookie detected. [] []
[2017-01-05 10:54:16] security.INFO: Remember-me cookie accepted. [] []
[2017-01-05 10:54:16] security.DEBUG: Populated the token storage with a remember-me token. [] []
[2017-01-05 10:54:16] app.DEBUG:
{
"USER":"www-data",
"HOME":"\/var\/www",
"HTTP_COOKIE":"safeId=51081905; nlPopup=shown; cookieInfo=1; __cfduid=d7b03b629331902c712642a374b52b3711476715148; auth=1a2dd1f7a8b16bf7d31988bf968748b5; VMREMEMBERME=QXBwQnVuZGxlXEVudGl0eVxVc2VyOmMydHNaWEF6TkRKQVluSmhibVJpY1M1d2JBPT06MTQ4NDA1MjAxNzoyODM1NWViMThkN2EwMDQ2MGUzNzVmNzg4ZGYwYWE2NzliNTcwOGJiY2E4ZDk0ZGE4YzJhZTFmZTRlMThlMjhh; VMSESSID=4oupq2fgt72vc8lnqff0g9op44",
"HTTP_CONNECTION":"Keep-Alive",
"HTTP_DNT":"1",
"HTTP_HOST":"sub.domain.com",
"HTTP_ACCEPT_ENCODING":"gzip, deflate",
"HTTP_USER_AGENT":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko",
"HTTP_ACCEPT_LANGUAGE":"pl-PL",
"HTTP_ACCEPT":"text\/html, application\/xhtml+xml, *\/*",
"SCRIPT_FILENAME":"\/data\/www\/project\/web\/app.php",
"REDIRECT_STATUS":"200",
"SERVER_NAME":"sub.domain.com",
"SERVER_PORT":"80",
"SERVER_ADDR":"x.x.x.x",
"REMOTE_PORT":"x",
"REMOTE_ADDR":"x.x.x.x",
"SERVER_SOFTWARE":"nginx\/1.10.0",
"GATEWAY_INTERFACE":"CGI\/1.1",
"REQUEST_SCHEME":"http",
"SERVER_PROTOCOL":"HTTP\/1.1",
"DOCUMENT_ROOT":"\/data\/www\/project\/web",
"DOCUMENT_URI":"\/app.php",
"REQUEST_URI":"...",
"SCRIPT_NAME":"\/app.php",
"CONTENT_LENGTH":"",
"CONTENT_TYPE":"",
"REQUEST_METHOD":"GET",
"QUERY_STRING":"...",
"FCGI_ROLE":"RESPONDER",
"PHP_SELF":"\/app.php",
"REQUEST_TIME_FLOAT":1483610056.9177,
"REQUEST_TIME":1483610056
} ["csrf","server"] []
[2017-01-05 10:54:16] app.DEBUG:
{
"safeId":"51081905",
"nlPopup":"shown",
"cookieInfo":"1",
"__cfduid":"d7b03b629331902c712642a374b52b3711476715148",
"auth":"1a2dd1f7a8b16bf7d31988bf968748b5",
"VMREMEMBERME":"QXBwQnVuZGxlXEVudGl0eVxVc2VyOmMydHNaWEF6TkRKQVluSmhibVJpY1M1d2JBPT06MTQ4NDA1MjAxNzoyODM1NWViMThkN2EwMDQ2MGUzNzVmNzg4ZGYwYWE2NzliNTcwOGJiY2E4ZDk0ZGE4YzJhZTFmZTRlMThlMjhh",
"VMSESSID":"4oupq2fgt72vc8lnqff0g9op44"
} ["csrf","cookies"] []
[2017-01-05 10:54:16] app.DEBUG:
{
"cookie":[
"safeId=51081905; nlPopup=shown; cookieInfo=1; __cfduid=d7b03b629331902c712642a374b52b3711476715148; auth=1a2dd1f7a8b16bf7d31988bf968748b5; VMREMEMBERME=QXBwQnVuZGxlXEVudGl0eVxVc2VyOmMydHNaWEF6TkRKQVluSmhibVJpY1M1d2JBPT06MTQ4NDA1MjAxNzoyODM1NWViMThkN2EwMDQ2MGUzNzVmNzg4ZGYwYWE2NzliNTcwOGJiY2E4ZDk0ZGE4YzJhZTFmZTRlMThlMjhh; VMSESSID=4oupq2fgt72vc8lnqff0g9op44"
],
"connection":[
"Keep-Alive"
],
"dnt":[
"1"
],
"host":[
"sub.domain.com"
],
"accept-encoding":[
"gzip, deflate"
],
"user-agent":[
"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko"
],
"accept-language":[
"pl-PL"
],
"accept":[
"text\/html, application\/xhtml+xml, *\/*"
],
"content-length":[
""
],
"content-type":[
""
],
"x-php-ob-level":[
1
]
} ["csrf","headers"] []
[2017-01-05 10:54:16] app.DEBUG: [] ["csrf","session"] []
[2017-01-05 10:54:16] app.DEBUG:
{
"created":1483610056,
"lastUsed":1483610056
} ["csrf","session_times"] []
[2017-01-05 10:54:16] app.DEBUG:
{
"name":"xxx",
"address":"xxx",
"city":"xxx",
"phoneNumber":"xxx",
"lang":"xx",
"save":"",
"_token":"ms-TX5_Du6lh3BqV2RB2CvQaEJ8WzuPBCeduAJox3ik"
} ["csrf","data"] []
[2017-01-05 10:54:16] security.DEBUG: Stored the security token in the session. {"key":"_security_main"} []
I got Your point, sometime this happen due to csrf generator. You have to change your config.yml file and comment the csrf generator line e.g.
Now their is no condition for csrf token.