phpRedisAdmin icon indicating copy to clipboard operation
phpRedisAdmin copied to clipboard

Published 20 hours ago verified publisher icon erikdubbelboer

BAD CSRF TOKEN

Open v012345 opened this issue 4 years ago • 7 comments

when I delete a key, I will be redirected to a 404 page which path is "http://myDomian/bad%20csrf%20token".

v012345 avatar Sep 11 '21 21:09 v012345

when I delete a key, I will be redirected to a 404 page which path is "http://myDomian/bad%20csrf%20token".

me too

asmc avatar Sep 12 '21 01:09 asmc

also, if you have change your phpRedisAdmin/ directory to other things, will be redirect to "bad csrf token",,,

asmc avatar Sep 12 '21 01:09 asmc

and view frame can not show any contents, because of "header('X-Frame-Options: DENY');", I have to add "Header always set X-Frame-Options "sameorigin"" to .htaccess

asmc avatar Sep 12 '21 01:09 asmc

My bad. I have just released a fix for sameorigin. Please upgrade to 1.16.1 and try again.

I don't really use this project anymore, but there were a bunch of security issues reported that I tried to fix. I tested it locally and everything worked fine. But it seems like with other setups things break.

For the bad csrf token error. What version of PHP are you using and what does your session setup look like? The CSRF code uses PHP sessions. It does check session_status() !== PHP_SESSION_DISABLED, but I guess something else goes wrong?

erikdubbelboer avatar Sep 12 '21 07:09 erikdubbelboer

My bad. I have just released a fix for sameorigin. Please upgrade to 1.16.1 and try again.

I don't really use this project anymore, but there were a bunch of security issues reported that I tried to fix. I tested it locally and everything worked fine. But it seems like with other setups things break.

For the bad csrf token error. What version of PHP are you using and what does your session setup look like? The CSRF code uses PHP sessions. It does check session_status() !== PHP_SESSION_DISABLED, but I guess something else goes wrong?

I use PHP7.4. I have updated it to 1.16.1. But it doesn't work. So I execute chmod -R 777 phpRedisAdmin, MY GOD, it works. Later I changed the permission back to 755, it still works. So I guess the reason is PHP doesn't have the permission to create session files on my server. And I want to where PHP saves the sessions.

v012345 avatar Sep 12 '21 17:09 v012345

That depends on how you have configured sessions on your server. See: https://www.php.net/manual/en/session.configuration.php#ini.session.save-path

erikdubbelboer avatar Sep 13 '21 06:09 erikdubbelboer

@v012345 , Check session.cookie_path value at your php.ini.

It must contain / or be commented

KarelWintersky avatar Nov 03 '21 13:11 KarelWintersky