CSRF-Protector-PHP icon indicating copy to clipboard operation
CSRF-Protector-PHP copied to clipboard

Published 20 hours ago verified publisher icon mebjas

Token issue on IE 11, mismatch

Open gyegan opened this issue 7 years ago • 12 comments

I just deployed this to our production server and it is working great for Chrome, Firefox, and Safari but we are reporting issues in IE 11 on government computers. Is there a work around for IE that would accommodate strict browser settings? We are also experiencing issues on Chrome and Firefox on government computers but only for certain pages. It has been very hard to diagnose what is happening on their end.

gyegan avatar Sep 16 '16 14:09 gyegan

@gyegan What kind of issues are you facing?

Rather than a workaround having the library compatible with IE 11 would be best. Let's find the issue and fix it ASAP.

mebjas avatar Sep 19 '16 03:09 mebjas

Assigning it to @gyegan till steps to reproduce are clear and bug is understood fully

mebjas avatar Sep 20 '16 15:09 mebjas

Sorry, I was trying to figure out the issue since it wasn't happening to me locally. Finally figured it out, the tokens do not match if you have IE 11 compatibility view turned on.

gyegan avatar Sep 20 '16 17:09 gyegan

Ok, I have a repro this library rely on the JavaScript code to attach tokens to requests in run-time. However lot of things were not supported in IE7 and thus in compatibility mode. I'll provide a quick workaround for you soon and then try to make library more generic.

Thanks, assigning to myself.

mebjas avatar Sep 23 '16 09:09 mebjas

Hi @gyegan I have created a workaround javascript code which worked for me in IE 11 compatibility mode. I have added it as a public gist for now: https://gist.github.com/mebjas/08e593d8e11adc5c4673ecf5be7ce018

What you have to do is

  • replace the script js/csrfprotector.js with this one
  • test for this scenario
  • and give feedback on weather it worked or not.

In the meanwhile I'll test this one with other browsers and version and create a generic script that works for all.

mebjas avatar Sep 26 '16 06:09 mebjas

@gyegan if you not facing issues anymore, I shall start writing a generic js code. feedback needed.

mebjas avatar Sep 28 '16 05:09 mebjas

I will test today!

gyegan avatar Sep 28 '16 14:09 gyegan

I tested today and got this error csrfprotector.js:147 Uncaught TypeError: Cannot read property 'value' of null.

gyegan avatar Sep 29 '16 05:09 gyegan

Ok that is weird, line 147 is

CSRFP.CSRFP_TOKEN = document.getElementById(CSRFP_FIELD_TOKEN_NAME).value;

so if a hidden element with id csrfp_hidden_data_token is not there in HTML, that means csrfp was not properly configured. Did you make any other changes than changing this js file?

mebjas avatar Sep 29 '16 08:09 mebjas

@gyegan where are we on tihis?

mebjas avatar Nov 03 '16 21:11 mebjas

We left it as is and recoded other parts of our code so we didn't need compatibility mode to be turned on.

gyegan avatar Nov 07 '16 23:11 gyegan

Oh, cool I remember having tested the script. I'll perform few more tests and modify the workaround script & then work on generalizing this

mebjas avatar Nov 08 '16 13:11 mebjas