anti-csrf icon indicating copy to clipboard operation
anti-csrf copied to clipboard

Published 20 hours ago verified publisher icon paragonie

Token generation mismatch: hidden input does not match the session variable

Open jamespsterling opened this issue 9 years ago • 4 comments

Inputs on form,

<!--
--><input type="hidden" name="_CSRF_INDEX" value="v6Dzi3KrRDV68kNdPFCES+UU"><!--
--><input type="hidden" name="_CSRF_TOKEN" value="wLoNJygvlKTxBEuhTa/WCjnvtoYldgmTet7MsFQlXU0=">

Session variables dumped at the end of page,

array(1) {
  ["CSRF"]=&gt;
  array(1) {
    ["v6Dzi3KrRDV68kNdPFCES+UU"]=&gt;
    array(4) {
      ["created"]=&gt;
      int(20160114152843)
      ["uri"]=&gt;
      string(1) "/"
      ["token"]=&gt;
      string(44) "T0kXM8I9nzUFv3w7flJTlbOjFa1OEMNR+5xwnHvpqr4="
      ["lockto"]=&gt;
      string(5) "login"
    }
  }
}

jamespsterling avatar Jan 14 '16 21:01 jamespsterling

What is the value of protected $hmac_ip?

paragonie-scott avatar Feb 02 '16 00:02 paragonie-scott

Hi,

Same thing here. the token set in session is different from the value in the hidden text field. The _CSRF_INDEX is the same in session and in the hidden text field.

The validateRequest return "TRUE" even if the value in the field is different from the value session.

$hmac_ip is TRUE

ncou avatar Feb 03 '16 23:02 ncou

After a quick debug, it's because hmac_ip is TRUE.

If set to false, the token value in the hidden field is the same than in the session.

ncou avatar Feb 03 '16 23:02 ncou

Yep. What this feature does is, instead of just placing the CSRF token in the form output, it outputs hash_hmac('sha256', $IPaddress, $csrfToken).

https://github.com/paragonie/anti-csrf/blob/606274f8f8c6aa0a807e656d7fc0603b5c78fdac/src/AntiCSRF.php#L162-L174

I'm tagging this as a documentation bug.

paragonie-scott avatar Feb 04 '16 01:02 paragonie-scott