CSRF-Protector-PHP
CSRF-Protector-PHP copied to clipboard
Token issue on IE 11, mismatch
I just deployed this to our production server and it is working great for Chrome, Firefox, and Safari but we are reporting issues in IE 11 on government computers. Is there a work around for IE that would accommodate strict browser settings? We are also experiencing issues on Chrome and Firefox on government computers but only for certain pages. It has been very hard to diagnose what is happening on their end.
@gyegan What kind of issues are you facing?
Rather than a workaround having the library compatible with IE 11 would be best. Let's find the issue and fix it ASAP.
Assigning it to @gyegan till steps to reproduce are clear and bug is understood fully
Sorry, I was trying to figure out the issue since it wasn't happening to me locally. Finally figured it out, the tokens do not match if you have IE 11 compatibility view turned on.
Ok, I have a repro this library rely on the JavaScript code to attach tokens to requests in run-time. However lot of things were not supported in IE7 and thus in compatibility mode. I'll provide a quick workaround for you soon and then try to make library more generic.
Thanks, assigning to myself.
Hi @gyegan I have created a workaround javascript code which worked for me in IE 11 compatibility mode. I have added it as a public gist for now: https://gist.github.com/mebjas/08e593d8e11adc5c4673ecf5be7ce018
What you have to do is
- replace the script
js/csrfprotector.js
with this one - test for this scenario
- and give feedback on weather it worked or not.
In the meanwhile I'll test this one with other browsers and version and create a generic script that works for all.
@gyegan if you not facing issues anymore, I shall start writing a generic js code. feedback needed.
I will test today!
I tested today and got this error csrfprotector.js:147 Uncaught TypeError: Cannot read property 'value' of null.
Ok that is weird, line 147 is
CSRFP.CSRFP_TOKEN = document.getElementById(CSRFP_FIELD_TOKEN_NAME).value;
so if a hidden element with id csrfp_hidden_data_token
is not there in HTML, that means csrfp was not properly configured. Did you make any other changes than changing this js file?
@gyegan where are we on tihis?
We left it as is and recoded other parts of our code so we didn't need compatibility mode to be turned on.
Oh, cool I remember having tested the script. I'll perform few more tests and modify the workaround script & then work on generalizing this