fuel_csrf_token() wont generate token.

[Ghostff]

This use to wok before but all of a sudden it stopped. I downloaded a new one and added this:

<?= Security::js_fetch_token(); ?>
<script>
console.log(fuel_csrf_token());
</script>

to the views > welcome > index.php the fuel_csrf_token it created the fuel_csrf_token function and that's it.

[WanWizard]

You upgraded your PHP version, and short tags are now disabled? It still works fine here:

[wanwizard@catwoman] $ oil console
Fuel 1.9-dev - PHP 5.6.25 (cli) (Aug 24 2016 07:55:57) [Linux]
>>> Security::js_fetch_token();
<script type="text/javascript">\n\tfunction fuel_csrf_token()\n\t{\n\t\tif (document.cookie.length > 0)\n\t\t{\n\t\t\tvar c_name = "fuel_csrf_token";\n\t\t\tc_start = document.cookie.indexOf(c_name + "=");\n\t\t\tif (c_start != -1)\n\t\t\t{\n\t\t\t\tc_start = c_start + c_name.length + 1;\n\t\t\t\tc_end = document.cookie.indexOf(";" , c_start);\n\t\t\t\tif (c_end == -1)\n\t\t\t\t{\n\t\t\t\t\tc_end=document.cookie.length;\n\t\t\t\t}\n\t\t\t\treturn unescape(document.cookie.substring(c_start, c_end));\n\t\t\t}\n\t\t}\n\t\treturn "";\n\t}\n</script>\n
>>> exit

[Ghostff]

It generates the js function . But it seems to fall out after if (c_start != -1) and wen i log c_start i get -1

[WanWizard]

If you get -1 there, the csrf cookie does not exist.

Are you changing the name of the cookie in your app after the Security class is loaded?

[Ghostff]

please take a look at this VIDEO

[WanWizard]

For the audience: you downloaded the framework, added the call to the welcome controller, and then discovered it doesn't work. Rightly so, because as I wrote before, the cookie needs to exist before this will work.

And you have done nothing yet to create the cookie. The cookie is only created when you call Security::set_token() or Security::fetch_token(), something that happens automatically when you create a form that includes a CSRF token, for example by using Form::csrf().

[Art4]

In other words: Try this:

<?php echo Form::csrf(); ?>

<?php echo Security::js_fetch_token(); ?>
<script>
console.log(fuel_csrf_token());
</script>

[Ghostff]

Is there any reason why it worked before (like it use to generate token without the <?php Security::fetch_token() ?>)

[WanWizard]

I wouldn't know, it has always worked like this. DId you have security.csrf_autoload enabled in your config by any chance? That is the only thing that would trigger creation of the cookie on every request.

Obviously, in any app, the first page with a form (and a csrf token) would create the cookie, and the cookie would exist until you close the browser, also on pages that don't have a token. Also check the value of security.csrf_expiration in your config file, that would influence the lifespan of the cookie.

[WanWizard]

This may have caused a change in behaviour, in case you have a config file that doesn't include the csrf_autoload key: https://github.com/fuel/core/commit/5b407215a58fef482b346a5f2f9dfc71e5f00a0a

[WanWizard]

@Ghostff any more feedback on this topic?

[Ghostff]

nah, it just works well adding Security::set_token() to my bootstrap. but still works well at my other pc without Security::set_token() and security.csrf_autoload not enabled

[WanWizard]

With the same codebase? Or with a pre-1.8 version of Fuel that had autoload enabled by default?

[Ghostff]

i switch to a new pc, and installed fuel 1.8.0, it generates a token by itself (didnt include Security::set_token(), Security::fetch_token() and security.csrf_autoload is false), logs me out after the second refresh on ajax login.

[WanWizard]

Logins are not controlled by the CSRF token, so I can't see the connection between the two.

How do you install "1.8.0"? And do you run a composer update after that to fetch the latest hotfixes for 1.8.0?

[Ghostff]

like i validate CSFR before login more like if (Security::check_token(Input::post('__token'))) { ..} and it happens to be true without Security::set_token(), Security::fetch_token() or security.csrf_autoload enabled and yes i updated code sample

[WanWizard]

As soon as you validate a token, the token will expire. If your ajax page doesn't load a new token, any other form post will post using an invalid token.

[Ghostff]

i just post the form once, and its logs me in. but after multiple(2) page refresh, i get logged out. question is why is it passing the Security::check_token when token is not enabled, and what can cause a logout on page refresh?

[WanWizard]

I am clueless as to what you are talking about. You refresh the post page (i.e. you post the login again)? If you do so, and you have no mechanism in place to update the token in the form, you post the form again with an invalid token, see my previous remark.

If you use the Auth package, the login status is recorded in the session, and is not related to CRSF tokens at all. There can be all sorts of reasons for losing the session, but since it's an ajax app, I'd start with checking if the session cookie is updated on the client. If not, you lose the session when the session token rotates server side (by default every 300 seconds).

[Ghostff]

like if i login it takes me to account.page but when i refresh the account.page it logs me out.

[WanWizard]

So, did you do what I asked and checked if your session mechanism works?

[Ghostff]

am not sure if doing it right i have a token of (length=570) after login (length=698) on account.page refresh (length=570)(when i get logged out)

[WanWizard]

what kind of session storage do you use? the cookie itself? It looks like you're losing the session for some reason. Time settings on the server ok?