CSRF problem

Get help with installation and running PivotX 2.0.x here. Please do not post Extension or Theme related questions here.

CSRF problem

Postby storm9c1 » Sun Feb 23, 2014 2:58 am

Hi all. Long time hosting provider that formerly provided Pivot. Now first time PivotX provider.

I've recently installed Ubuntu Server 12.04.4 LTS for a customer. Apache 2.2.22 with the Suhosin patch (default on Ubuntu). PHP5 5.3.10. I've Installed the latest PivotX 2.3.8 build #4333-11. I made sure all permissions are set exactly as per the documentation. I have shell access to the server.

We can login to PivotX, but any attempt to save a setting or change anything (including adding users, etc) will throw me back to the login page. I've installed pivotx-check, and all is green (except MySQL since I am using flat files).

After doing some reading on Google and on here, I was able to turn on debugging manually (not through the GUI). Here is the message in logfile.php:

<?php /* pivotx */ die(); ?><div class='timetaken'>2014-02-22 21:16:02 - <span class='timetaken'>0.019</span> -- pivotx/objects.php:2411 / checkCSRF() -- ( 8268476 ) </div>CSRF check failed: 'null..' vs. 'ucvi13h4..'

This points to CSRF problems, so some more searching turned up this hint for the Virtual Host settings in the Apache2 conf file:

<Directory /var/www/domain.com/html>
AllowOverride All
php_flag suhosin.session.encrypt Off
</Directory>

But that isn't helping.

Any other suggestions? I am a small time hosting provider. Other reading on the forums here seem to all say "tell your hosting provider not to mess with cookies" -- well I am the hosting provider and I have no idea what settings would affect cookies except perhaps that suhosin encryption setting which should be disabled by the setting above.

I imagine more folks would like to throw PivotX on an Ubuntu server, and I imagine that others are going to have this problem. So any advice for me (and for the benefit of others) is appreciated!

Thanks.
storm9c1
 
Posts: 8
Joined: Sun Feb 23, 2014 2:41 am

Re: CSRF problem

Postby Harm10 » Sun Feb 23, 2014 11:04 am

If you are using flat files you sometimes have to redo the folder permissions like described in the installation.
After installing some new files were created and perhaps they didn't pick up the correct permissions.
Please try.
Quality is in the detail of things............

Want to change or update your PivotX site? Mail or PM me!
I can also convert your site to a Wordpress site!
Harm10
Developer
 
Posts: 2011
Joined: Wed Jun 17, 2009 9:37 am
Location: Somewhere in The Netherlands (aka Holland)

Re: CSRF problem

Postby storm9c1 » Sun Feb 23, 2014 8:22 pm

Thanks for your reply.

Unfortunately I read the other posts on this forum, and permissions were one of the first things I tried and it didn't help.

But just for posterity, here is the permissions on the db directory (sorry for the long info, just wanted to be clear and concise so we can get this resolved as quickly as possible):

Code: Select all
total 68
drwxrwxrwx 2 4096 Feb 23 15:12 cache
-rwxrwxrwx 1  202 Dec 23  2009 index.html
-rwxrwxrwx 1  569 Feb 23 15:12 logfile.php
drwxrwxrwx 2   56 Feb 14 23:22 pages
drwxrwxrwx 2   23 Feb 14 23:09 refkeys
drwxrwxrwx 2   23 Feb 14 23:09 rsscache
-rwxrwxrwx 1   10 Feb 22 18:11 scheduler.txt
drwxrwxrwx 2 4096 Feb 14 23:22 search
-rwxrwxrwx 1  268 Feb 14 23:48 ser-archives.php
-rwxrwxrwx 1   90 Feb 14 23:22 ser-cats.php
-rwxrwxrwx 1   95 Feb 14 23:22 ser-dates.php
-rwxrwxrwx 1   94 Feb 14 23:22 ser-uris.php
-rwxrwxrwx 1  309 Feb 14 23:22 ser_categories.php
-rwxrwxrwx 1 2741 Feb 22 21:14 ser_config.php
-rwxrwxrwx 1 3227 Feb 23 15:12 ser_events.php
-rwxrwxrwx 1 3742 Feb 23 15:13 ser_logins.php
-rwxrwxrwx 1  148 Feb 23 15:13 ser_sessions.php
-rwxrwxrwx 1  118 Feb 22 18:12 ser_tags.php
-rwxrwxrwx 1  349 Feb 23 15:13 ser_users.php
-rwxrwxrwx 1 2692 Feb 23 15:13 ser_weblogs.php
drwxrwxrwx 2   69 Feb 14 23:22 standard-00000
drwxrwxrwx 2   89 Feb 14 23:22 tagdata
drwxrwxrwx 2   23 Feb 14 23:09 tbkeys
drwxrwxrwx 2   23 Oct 12  2011 users

./cache:
total 320
-rwxrwxrwx 1  7851 Feb 22 18:14 %%09^091^09180905%%advconfig.tpl.php
-rwxrwxrwx 1  6652 Feb 22 19:32 %%0B^0B4^0B40EBED%%config.tpl.php
-rwxrwxrwx 1 10274 Feb 22 18:31 %%0C^0C9^0C95960D%%window_upload.tpl.php
-rwxrwxrwx 1  2083 Feb 22 18:11 %%11^111^111C95F7%%db%3Aeca2641ba5.php
-rwxrwxrwx 1  1486 Feb 22 18:31 %%18^183^183C037C%%inc_window_header.tpl.php
-rwxrwxrwx 1  1484 Feb 22 18:11 %%24^24E^24EBA1D6%%_sub_footer.tpl.php
-rwxrwxrwx 1  9321 Feb 22 19:53 %%27^27D^27DA1DD4%%users.tpl.php
-rwxrwxrwx 1   373 Feb 22 18:11 %%33^333^3334B354%%db%3Atpl_efb3a4fb74.php
-rwxrwxrwx 1   379 Feb 22 18:11 %%49^497^49741DC0%%db%3Atpl_4d536e9447.php
-rwxrwxrwx 1  2436 Feb 22 18:11 %%50^506^506BB4F7%%front.tpl.php
-rwxrwxrwx 1   732 Feb 22 18:11 %%5B^5BC^5BC3CE52%%db%3Atpl_9228d4acd6.php
-rw-r--r-- 1  5546 Feb 23 15:12 %%5E^5E6^5E655575%%inc_footer.tpl.php
-rwxrwxrwx 1   340 Feb 22 18:12 %%67^671^6711F29B%%db%3Atpl_22d63a79e3.php
-rwxrwxrwx 1  8008 Feb 22 18:12 %%6D^6D6^6D641BF7%%_sub_commentform.html.php
-rwxrwxrwx 1 15360 Feb 22 18:31 %%76^764^764BFEF7%%inc_plupload_element.tpl.php
-rwxrwxrwx 1 46379 Feb 22 21:08 %%86^864^8644F0D6%%home.tpl.php
-rwxrwxrwx 1  1043 Feb 22 18:11 %%8D^8DA^8DA911AA%%db%3Atpl_d708c31e32.php
-rw-r--r-- 1 12252 Feb 23 15:12 %%A7^A7D^A7D661A4%%inc_header.tpl.php
-rwxrwxrwx 1  5422 Feb 22 18:12 %%AB^ABA^ABAF6233%%entry.tpl.php
-rwxrwxrwx 1   367 Feb 22 18:12 %%BA^BA8^BA89FEA8%%db%3Atpl_72ad18480c.php
-rwxrwxrwx 1   822 Feb 22 18:11 %%BF^BF0^BF063D72%%_sub_weblog.tpl.php
-rwxrwxrwx 1  2917 Feb 22 18:22 %%C0^C0D^C0DFF6A7%%placeholder.tpl.php
-rwxrwxrwx 1   610 Feb 22 19:53 %%DA^DA5^DA53A20B%%modal.tpl.php
-rw-r--r-- 1  5106 Feb 23 15:12 %%DB^DBB^DBBCD783%%generic.tpl.php
-rwxrwxrwx 1  2091 Feb 22 18:11 %%DD^DD5^DD589507%%_sub_header.tpl.php
-rwxrwxrwx 1  8891 Feb 22 18:11 %%E1^E1A^E1A19F2E%%_sub_sidebar.tpl.php
-rwxrwxrwx 1  1002 Feb 22 18:11 %%E3^E37^E37DC68D%%db%3Atpl_224d0dcb64.php
-rwxrwxrwx 1 24675 Feb 22 18:13 9fc62144246da77ba99b6aea96e912ca.mpc
-rwxrwxrwx 1 43658 Feb 22 20:59 d9689667b2958a93fe9a4b54002e98a9.mpc
-rwxrwxrwx 1 24675 Feb 22 20:59 f334f854f7eb6eb5fd6466398c4b2c9c.mpc

./pages:
total 12
-rwxrwxrwx 1 1754 Feb 14 23:22 page_1.php
-rwxrwxrwx 1 1216 Feb 14 23:22 page_2.php
-rwxrwxrwx 1  184 Feb 14 23:22 pages.php

./refkeys:
total 4
-rwxrwxrwx 1 202 Dec 23  2009 index.html

./rsscache:
total 4
-rwxrwxrwx 1 202 Dec 23  2009 index.html

./search:
total 92
-rwxrwxrwx 1  54 Feb 14 23:22 2.php
-rwxrwxrwx 1 157 Feb 14 23:22 a.php
-rwxrwxrwx 1  75 Feb 14 23:22 b.php
-rwxrwxrwx 1  98 Feb 14 23:22 c.php
-rwxrwxrwx 1  63 Feb 14 23:22 d.php
-rwxrwxrwx 1 173 Feb 14 23:22 e.php
-rwxrwxrwx 1 162 Feb 14 23:22 f.php
-rwxrwxrwx 1 818 Dec 23  2009 filtered_words.txt
-rwxrwxrwx 1  73 Feb 14 23:22 g.php
-rwxrwxrwx 1  92 Feb 14 23:22 h.php
-rwxrwxrwx 1  86 Feb 14 23:22 i.php
-rwxrwxrwx 1  81 Feb 14 23:22 l.php
-rwxrwxrwx 1  94 Feb 14 23:22 m.php
-rwxrwxrwx 1  52 Feb 14 23:22 n.php
-rwxrwxrwx 1 118 Feb 14 23:22 o.php
-rwxrwxrwx 1 231 Feb 14 23:22 p.php
-rwxrwxrwx 1  56 Feb 14 23:22 q.php
-rwxrwxrwx 1  78 Feb 14 23:22 r.php
-rwxrwxrwx 1 169 Feb 14 23:22 s.php
-rwxrwxrwx 1 163 Feb 14 23:22 t.php
-rwxrwxrwx 1  55 Feb 14 23:22 u.php
-rwxrwxrwx 1 208 Feb 14 23:22 w.php
-rwxrwxrwx 1  97 Feb 14 23:22 y.php

./standard-00000:
total 12
-rwxrwxrwx 1 2114 Feb 14 23:22 00001.php
-rwxrwxrwx 1 1099 Feb 14 23:22 00002.php
-rwxrwxrwx 1 1156 Feb 14 23:22 index-standard-00000.php

./tagdata:
total 20
-rwxrwxrwx 1 202 Dec 23  2009 index.html
-rwxrwxrwx 1   6 Feb 14 23:22 pivot.rel
-rwxrwxrwx 1   1 Feb 14 23:22 pivot.tag
-rwxrwxrwx 1   5 Feb 14 23:22 pivotx.rel
-rwxrwxrwx 1   1 Feb 14 23:22 pivotx.tag

./tbkeys:
total 4
-rwxrwxrwx 1 202 Dec 23  2009 index.html

./users:
total 4
-rwxrwxrwx 1 202 Dec 23  2009 index.html



NOTE: the files in the cache directory constantly change.

Here is the images directory:

Code: Select all
total 8
drwxrwxrwx 2    6 Feb 22 18:31 2014-02
-rwxrwxrwx 1 4009 Jan 19 06:18 icon_pivotx.jpg
-rwxrwxrwx 1  212 Dec 23  2009 index.html

./2014-02:
total 0


And finally for the templates directory:

Code: Select all
total 64
-rwxrwxrwx 1  855 Dec 23  2009 404.html
-rwxrwxrwx 1 2399 Oct  5  2010 _sub_commentform.html
-rwxrwxrwx 1 3068 Oct  5  2010 _sub_commentform_extended.html
drwxrwxrwx 2 4096 Feb 14 23:09 bare_bones
drwxrwxrwx 3 4096 Feb 14 23:09 default
-rwxrwxrwx 1  403 Dec  8  2010 default_offline.html
-rwxrwxrwx 1 1335 May  8  2012 error.html
-rwxrwxrwx 1 1269 Nov 13  2012 feed_atom_template.xml
-rwxrwxrwx 1 1262 Nov 13  2012 feed_comments_atom_template.xml
-rwxrwxrwx 1 1067 Jan 31  2011 feed_comments_rss_template.xml
-rwxrwxrwx 1 1252 Mar 23  2011 feed_rss_template.xml
-rwxrwxrwx 1  202 Dec 23  2009 index.html
drwxrwxrwx 2 4096 Feb 14 23:09 mobile
-rwxrwxrwx 1 8142 Jan 27  2011 pivotx_essentials.css
drwxrwxrwx 3 4096 Sep 16  2012 skinny

./bare_bones:
total 160
-rwxrwxrwx 1   610 Sep 16  2012 _sub_about.tpl
-rwxrwxrwx 1    75 Sep 16  2012 _sub_footer.tpl
-rwxrwxrwx 1   762 Sep 16  2012 _sub_header.tpl
-rwxrwxrwx 1   474 Sep 16  2012 _sub_link_list.tpl
-rwxrwxrwx 1  2114 Sep 16  2012 _sub_sidebar.tpl
-rwxrwxrwx 1   760 Sep 16  2012 _sub_weblog.tpl
-rwxrwxrwx 1   464 Sep 16  2012 archive.tpl
-rwxrwxrwx 1 75787 Sep 16  2012 bare_bones-big.jpg
-rwxrwxrwx 1  9897 Dec 23  2009 bare_bones.jpg
-rwxrwxrwx 1  2407 Sep 16  2012 bare_bones.theme
-rwxrwxrwx 1  1004 Sep 16  2012 entry.tpl
-rwxrwxrwx 1    45 Sep 16  2012 entrypage_template.html
-rwxrwxrwx 1    46 Sep 16  2012 extra_template.html
-rwxrwxrwx 1   441 Sep 16  2012 front.tpl
-rwxrwxrwx 1    45 Sep 16  2012 frontpage_template.html
-rwxrwxrwx 1   474 Sep 16  2012 installation.txt
-rwxrwxrwx 1   457 Sep 16  2012 page.tpl
-rwxrwxrwx 1    44 Sep 16  2012 page_template.html
-rwxrwxrwx 1   335 Sep 16  2012 search.tpl
-rwxrwxrwx 1  1837 Sep 16  2012 style.css

./default:
total 400
-rwxrwxrwx 1   568 Sep 16  2012 _sub_about.tpl
-rwxrwxrwx 1  1422 Sep 16  2012 _sub_entry.tpl
-rwxrwxrwx 1  1763 Sep 16  2012 _sub_footer.tpl
-rwxrwxrwx 1  1203 Sep 16  2012 _sub_header.tpl
-rwxrwxrwx 1   491 Sep 16  2012 _sub_link_list.tpl
-rwxrwxrwx 1   327 Sep 16  2012 _sub_page.tpl
-rwxrwxrwx 1  1423 Sep 16  2012 _sub_sidebar.tpl
-rwxrwxrwx 1   851 Sep 16  2012 _sub_weblog.tpl
-rwxrwxrwx 1   927 Sep 16  2012 _sub_weblog_linkdump.tpl
-rwxrwxrwx 1   584 Sep 16  2012 archive_2.tpl
-rwxrwxrwx 1   577 Sep 16  2012 archive_3.tpl
-rwxrwxrwx 1    49 Sep 16  2012 archivepage_template_2column.html
-rwxrwxrwx 1    49 Sep 16  2012 archivepage_template_3column.html
-rwxrwxrwx 1 88808 Sep 16  2012 default_2-big.jpg
-rwxrwxrwx 1 30525 Sep 16  2012 default_2.jpg
-rwxrwxrwx 1  2736 Sep 16  2012 default_2.theme
-rwxrwxrwx 1 94203 Sep 16  2012 default_3-big.jpg
-rwxrwxrwx 1 32458 Sep 16  2012 default_3.jpg
-rwxrwxrwx 1  2736 Sep 16  2012 default_3.theme
-rwxrwxrwx 1   396 Sep 16  2012 entry_2.tpl
-rwxrwxrwx 1   269 Sep 16  2012 entry_3.tpl
-rwxrwxrwx 1    47 Sep 16  2012 entrypage_template_2column.html
-rwxrwxrwx 1    47 Sep 16  2012 entrypage_template_3column.html
-rwxrwxrwx 1    48 Sep 16  2012 extrapage_template_2column.html
-rwxrwxrwx 1    48 Sep 16  2012 extrapage_template_3column.html
-rwxrwxrwx 1   583 Sep 16  2012 front_2.tpl
-rwxrwxrwx 1   613 Sep 16  2012 front_3.tpl
-rwxrwxrwx 1    47 Sep 16  2012 frontpage_template_2column.html
-rwxrwxrwx 1    47 Sep 16  2012 frontpage_template_3column.html
drwxrwxrwx 2  4096 Feb 14 23:09 images
-rwxrwxrwx 1   737 Sep 16  2012 installation.txt
-rwxrwxrwx 1   391 Sep 16  2012 page_2.tpl
-rwxrwxrwx 1    46 Sep 16  2012 page_2column.html
-rwxrwxrwx 1   275 Sep 16  2012 page_3.tpl
-rwxrwxrwx 1    46 Sep 16  2012 page_3column.html
-rwxrwxrwx 1  5372 Dec 23  2009 pivotx_dark.css
-rwxrwxrwx 1  5131 Dec 23  2009 pivotx_default.css
-rwxrwxrwx 1  5052 Dec 23  2009 pivotx_light.css
-rwxrwxrwx 1   459 Sep 16  2012 search_2.tpl
-rwxrwxrwx 1   553 Sep 16  2012 search_3.tpl

./default/images:
total 252
-rwxrwxrwx 1    43 Dec 23  2009 background_comments.gif
-rwxrwxrwx 1   320 Dec 23  2009 background_comments.jpg
-rwxrwxrwx 1   869 Dec 23  2009 background_content.jpg
-rwxrwxrwx 1   375 Dec 23  2009 background_dark.jpg
-rwxrwxrwx 1    43 Dec 23  2009 background_h2.gif
-rwxrwxrwx 1    43 Dec 23  2009 background_h2_dark.gif
-rwxrwxrwx 1    43 Dec 23  2009 background_h3.gif
-rwxrwxrwx 1    49 Dec 23  2009 background_h3_light.gif
-rwxrwxrwx 1    49 Dec 23  2009 background_h3_over.gif
-rwxrwxrwx 1    82 Dec 23  2009 background_left_2.gif
-rwxrwxrwx 1   123 Dec 23  2009 background_left_3.gif
-rwxrwxrwx 1   120 Dec 23  2009 background_left_3_light.gif
-rwxrwxrwx 1  1482 Dec 23  2009 background_light.jpg
-rwxrwxrwx 1   127 Dec 23  2009 background_linkdump.gif
-rwxrwxrwx 1    56 Dec 23  2009 background_pattern.gif
-rwxrwxrwx 1 62811 Dec 23  2009 header.jpg
-rwxrwxrwx 1 69295 Dec 23  2009 header_dark.jpg
-rwxrwxrwx 1 57857 Dec 23  2009 header_light.jpg

./mobile:
total 188
-rwxrwxrwx 1  3141 Jan 19 06:18 _sub_commentform.tpl
-rwxrwxrwx 1  2390 Jan 19 06:18 _sub_footer.tpl
-rwxrwxrwx 1   801 Sep 16  2012 _sub_header.tpl
-rwxrwxrwx 1   606 Sep 16  2012 _sub_weblog.tpl
-rwxrwxrwx 1   977 Jan 19 06:18 archive.tpl
-rwxrwxrwx 1  1835 Jan 19 06:18 entry.tpl
-rwxrwxrwx 1    45 Sep 16  2012 entrypage_template.html
-rwxrwxrwx 1   925 Sep 16  2012 front.tpl
-rwxrwxrwx 1    45 Sep 16  2012 frontpage_template.html
-rwxrwxrwx 1   290 Sep 16  2012 installation.txt
-rwxrwxrwx 1 90523 Sep 16  2012 mobile-big.jpg
-rwxrwxrwx 1 31206 Sep 16  2012 mobile.jpg
-rwxrwxrwx 1  2670 Sep 16  2012 mobile.theme
-rwxrwxrwx 1  1257 Jan 19 06:18 page.tpl
-rwxrwxrwx 1    44 Sep 16  2012 page_template.html
-rwxrwxrwx 1   380 Jan 19 06:18 search.tpl
-rwxrwxrwx 1    46 Sep 16  2012 search_template.html
-rwxrwxrwx 1  2416 Apr  1  2010 style.css

./skinny:
total 168
-rwxrwxrwx 1   222 Sep 16  2012 _sub_footer.tpl
-rwxrwxrwx 1   942 Sep 16  2012 _sub_header.tpl
-rwxrwxrwx 1  3252 Sep 16  2012 _sub_sidebar.tpl
-rwxrwxrwx 1   713 Sep 16  2012 _sub_weblog.tpl
-rwxrwxrwx 1   805 Sep 16  2012 archive.tpl
-rwxrwxrwx 1    47 Sep 16  2012 archivepage_template.html
-rwxrwxrwx 1  1966 Sep 16  2012 entry.tpl
-rwxrwxrwx 1    45 Sep 16  2012 entry_template.html
-rwxrwxrwx 1   858 Sep 16  2012 front.tpl
-rwxrwxrwx 1    46 Sep 16  2012 frontpage_template.html
drwxrwxrwx 2    23 Feb 14 23:09 images
-rwxrwxrwx 1   440 Aug 11  2013 installation.txt
-rwxrwxrwx 1  1014 Sep 16  2012 page.tpl
-rwxrwxrwx 1    44 Sep 16  2012 page_template.html
-rwxrwxrwx 1  2463 Aug 11  2013 readme.txt
-rwxrwxrwx 1  1300 Sep 16  2012 search.tpl
-rwxrwxrwx 1    46 Sep 16  2012 search_template.html
-rwxrwxrwx 1 82242 Sep 16  2012 skinny-big.jpg
-rwxrwxrwx 1 10412 Dec 23  2009 skinny.jpg
-rwxrwxrwx 1  2670 Sep 16  2012 skinny.theme
-rwxrwxrwx 1  3793 Aug 12  2013 style.css

./skinny/images:
total 8
-rwxrwxrwx 1 5818 Dec 23  2009 header.jpg



I see that others have talked about CSRF problems and have met success with disabling CSRF in the code. I'd rather get to the root cause of the problem and fix it rather than disabling it in the code.
storm9c1
 
Posts: 8
Joined: Sun Feb 23, 2014 2:41 am

Re: CSRF problem

Postby storm9c1 » Sun Feb 23, 2014 9:07 pm

Also tried adding the following to php.ini, thinking the "Suhosin Patch" might be interfering. No luck.

Code: Select all
[suhosin]
suhosin.session.encrypt = Off
suhosin.session.cryptua = Off
suhosin.session.cryptdocroot = Off
;suhosin.session.cryptraddr = 0
suhosin.cookie.encrypt = Off
suhosin.cookie.cryptua = Off
;suhosin.cookie.cryptraddr = 0
suhosin.cookie.disallow_nul = Off


EDIT: phpinfo() is not even showing the suhosin section. I have no idea what the difference is between the "Suhosin Patch" and the "Suhosin Module" would be except some blurb in the Suhosin documentation leads me to believe that if the patch is compiled in, then these settings cannot be controlled? Really? If so, how is anybody using this on Ubuntu?

"This server is protected with the Suhosin Patch 0.9.10
Copyright (c) 2006-2007 Hardened-PHP Project Copyright (c) 2007-2009 SektionEins GmbH"
storm9c1
 
Posts: 8
Joined: Sun Feb 23, 2014 2:41 am

Re: CSRF problem

Postby Harm10 » Sun Feb 23, 2014 10:57 pm

Sorry you are way out of my league.................. Perhaps hansfn can contribute something to this?
Quality is in the detail of things............

Want to change or update your PivotX site? Mail or PM me!
I can also convert your site to a Wordpress site!
Harm10
Developer
 
Posts: 2011
Joined: Wed Jun 17, 2009 9:37 am
Location: Somewhere in The Netherlands (aka Holland)

Re: CSRF problem

Postby hansfn » Sun Feb 23, 2014 11:33 pm

CSRF check failed: 'null..' vs. 'ucvi13h4..'

Hm, "null" means that JavaScript didn't find a cookie with the name "pivotxsession". Normally, the problem is that the cookie is modified by the server, not missing.

1) Are you sure that you are properly logged in? If you just move around in the administration, are you asked to log in again?
2) If you are properly logged in, check the cookies the server has set in your browser (for the domain PivotX is running on).
hansfn
Developer
 
Posts: 3282
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Re: CSRF problem

Postby storm9c1 » Mon Feb 24, 2014 1:51 am

1) At first, I was able to move around but anytime I would save any setting, or add a user, I would get logged out. After clearing all of the cookies out of my browser last night, everything I click on results in the login page after first login.
2) Since I cleared the cookies, I cannot find any cookies regarding pivotx. I've tried both Firefox and Chrome.

Any idea if there are any php.ini settings that would cause this type of behavior?
storm9c1
 
Posts: 8
Joined: Sun Feb 23, 2014 2:41 am

Re: CSRF problem

Postby storm9c1 » Mon Feb 24, 2014 2:03 am

Not sure if this helps:

Clearing out /var/lib/php5, and then logging in results in these 5 session files appearing on the webserver. The first one does contain "pivotxsession|s:15:" as the first part of the string. I don't want to post the entire string here but I could send it in a PM, if that would help.

Here was the contents of /var/lib/php5. Notice the others are empty:
Code: Select all
-rw-------  1 www-data www-data  354 Feb 23 20:59 sess_76cp00e5226haos4m6ubnurtb7
-rw-------  1 www-data www-data    0 Feb 23 20:59 sess_9prmtm04q4fsc9ke17p7b90pi0
-rw-------  1 www-data www-data    0 Feb 23 20:59 sess_k06o721k39tm68e1hbt5h0c187
-rw-------  1 www-data www-data    0 Feb 23 20:59 sess_kuih65icqun2hphpemstoa0ci6
-rw-------  1 www-data www-data    0 Feb 23 20:59 sess_p1a4t910cicsa632rn8rq8pjn1


Thanks.
storm9c1
 
Posts: 8
Joined: Sun Feb 23, 2014 2:41 am

Re: CSRF problem

Postby storm9c1 » Mon Feb 24, 2014 4:23 pm

Maybe I'll try NGINX tomorrow. I've been using Apache for almost 20 years, not as much experience with nginx. But it might help me narrow down whether it's Apache, PHP, or PivotX causing the problem. If you have any other suggestions, let me know. Including if you want to poke around on the site (I can PM you with the details).
storm9c1
 
Posts: 8
Joined: Sun Feb 23, 2014 2:41 am

Re: CSRF problem

Postby hansfn » Mon Feb 24, 2014 11:46 pm

This seems like a session problem. I could take a quick look - send me the details at hansfn@pivotx.net
hansfn
Developer
 
Posts: 3282
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Next

Return to 2.x Support Forum

Who is online

Users browsing this forum: No registered users and 4 guests

cron