grav-plugin-form icon indicating copy to clipboard operation
grav-plugin-form copied to clipboard

Published 20 hours ago verified publisher icon getgrav

Nonce verification

Open withindale opened this issue 6 years ago • 8 comments

Our Grav contact form page shows our message in green with Chrome (status='success'). Firefox, Edge and IE11 showed the standard 'Oops' message in red (status='error').

I found only Chrome returns the same nonce string (in Grav form utils.php)

Results of successive submissions in each browser were: Firefox: 5ad9398a6edd563a549a0edc72f499d3 Firefox: 282da8f78d6f46f1df8e0fab6b85c639 IE11: 91ad57f892f6ec1c816ab310090823f0 IE11: cf86831399fc5d223c7c139251384687 EDGE: b28e725fe38dcc3c5a81a691072f889d EDGE: 0dddab4fd0f9ccc27b391f3ef2afb1d0 Chrome: 7849d7e1e5ce91af970890dc8b73ed71 Chrome: 7849d7e1e5ce91af970890dc8b73ed71

As a workround I have changed the verifyNonce function in Grav/Common/Utils.php to return true in all cases (so form data is processed) and set status='success' (so the message is in green not red)

Is this a problem with the Form plugin or is there something I should set?

The contact form is included in CustomHTML in the the Base Outline (Supra theme): {% include "forms/form.html.twig" with {form: forms('contact')} %}

Thank you

withindale avatar Nov 20 '18 11:11 withindale

I need to investigate this as i've never heard of this before, and never run into it myself.

rhukster avatar Nov 23 '18 23:11 rhukster

I did just fix a bug (in feature branch) that caused some forms to have 2 different tokens, one for JS and one in the token input, both being different. Not sure if it is related.

mahagr avatar Dec 01 '18 09:12 mahagr

Just noticed this. Will check when opportunity arises. Using workaround for now.

Thanks

Ian Russell

On Sat, 1 Dec 2018 at 09:11, Matias Griese [email protected] wrote:

I did just fix a bug (in feature branch) that caused some forms to have 2 different tokens, one for JS and one in the token input, both being different. Not sure if it is related.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/getgrav/grav-plugin-form/issues/299#issuecomment-443412115, or mute the thread https://github.com/notifications/unsubscribe-auth/AQOR8b3f5Fjkr46uaThVoAUC6uzg__nDks5u0ketgaJpZM4Yq7fl .

withindale avatar Dec 11 '18 17:12 withindale

@withindale Did you ever test if the issue was fixed?

mahagr avatar Jul 09 '19 08:07 mahagr

Just had to do the same Grav 1.6.24 Form v4.0.8

      if($nonce) {
        $grav = Grav::instance();
        $grav['log']->debug('Nonce '.$nonce.' getNonce '.self::getNonce($action));
        return true;
      }

Log: Nonce 3a1c846a3a558d4ac7a766efada5244b getNonce 185fcfc0e82913ed992d26f42d36adb4

I really don't get what's going on. There's no consistency. Some browsers work, most don't. 3 different iOS devices, no cache, no cookies — all produce "oops etc." Chrome, Safari, same story 2 desktop browsers, Chrome works, Safari does not. No meaningful feedback.

I admit it's a rather old site, just updated to the recent Grav/forms but there are no errors or warnings and it does work sometimes, I just don't understand why/when.

May 1st at 1:46pm Nonce a936213827bdb1168c1641c822d53b0c getNonce c1a86befb25125fb02a22aaed651466a

May 1st at 1:21pm Nonce 92a7dabdc8881a9f71b996334a998920 getNonce 51cc4683d224e1059880cf83d67e9795

May 1st at 1:02pm Nonce 3a1c846a3a558d4ac7a766efada5244b getNonce 185fcfc0e82913ed992d26f42d36adb4

Isn't it supposed to be constant within 12 hrs?

Where should I look first?

zanami avatar May 01 '20 13:05 zanami

Well in my case the problem was in /user/config/system.yaml It's session/cookie related I just deleted everything session.* so defaults from /system/config/system.yaml are used Works fine now

zanami avatar May 02 '20 18:05 zanami

@zanami could You please share Your session config? Is this problem really solved by rollback session config to default in system/config/system.yaml?

I ask because I get this issue after update Grav from 1.6.31 to 1.7.23. Still no any info in logs, only poor message: "Oops, your form has timed out, please reload the page and submit the form again.". Testing on Chrome, Firefox.

My logs (why nonce values aren't the same?) [2021-10-03 13:57:36] grav.DEBUG: Nonce 0ed4460c61ae1ae24d035d0748029f9d getNonce 0ed4460c61ae1ae24d035d0748029f9d [] [] [2021-10-03 13:58:12] grav.DEBUG: Nonce 0ed4460c61ae1ae24d035d0748029f9d getNonce 82cdcf8b45a87a96eab7893cbeb63893 [] [] [2021-10-03 13:58:27] grav.DEBUG: Nonce 0ed4460c61ae1ae24d035d0748029f9d getNonce f2307b1a57a1c4cff6d0276c7c944c67 [] []

@mahagr maybe You can add new setting in config i. e.: Nonce form validation [checkbox]. If this config field is set to yes then below block will be executed as until now. If no then validation will be omitted.

Zrzut ekranu z 2021-10-03 16-06-19

It looks like post function from grav/user/plugins/form/classes/Form.php can't be override by Grav methods, so additional config field can be solution. :thinking:

MajorKuprich avatar Oct 03 '21 14:10 MajorKuprich

@MajorKuprich do you have multiple configurations? Multisite? Nonce depends on the environment/child site and this issue may be caused by some mismatch in the configuration.

TO troubleshoot you can start by looking if the request goes to the same URL as you were in. If not, how do they differ?

mahagr avatar Oct 05 '21 06:10 mahagr