-
-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid request token error when sending invalid form again #7167
Comments
I think our checks for an empty session in various places (#6801, #6959 and #7052) are flawed, at least with the default
My thoughts:
|
I think checking for an empty session is generally correct, but we should also check if PHP has sent a
I was not able to reproduce this in Contao 5.3. |
You are right, it does indeed not happen in Contao 5.3. At least not this way - because we only write to the session there when the form validates (and when we do, we do it properly). I tried to force the issue in Contao 5 with something like this: // src/EventListener/PrepareFormDataListener.php
namespace App\EventListener;
use Contao\CoreBundle\DependencyInjection\Attribute\AsHook;
use Symfony\Component\HttpFoundation\RequestStack;
#[AsHook('prepareFormData')]
class PrepareFormDataListener
{
public function __construct(private readonly RequestStack $requestStack)
{
}
public function __invoke(): void
{
func_get_arg(3)->addError('Nope!');
$this->requestStack->getCurrentRequest()->getSession()->start();
}
} But weirdly no |
You also need to make the native $this->requestStack->getCurrentRequest()->getSession()->start();
$_SESSION['FOO'] = 'bar'; Otherwise the session cookie gets cleared here: https://github.com/symfony/symfony/blob/95a9bd778786d3d6593ba214299b472e27fc308e/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/AbstractSessionHandler.php#L80 This way I was able to reproduce the issue in Contao 5, and #7213 also fixes it 🎉 |
Closing in favor of #7213 |
Affected version(s)
4.13,
5.3Description
Unfortunately there is still another regression with the changes from #6801, #6959 and #7052. There can be situations where you encounter an "invalid request token" error during regular use. See the following reproduction:
Add the security question form field.Immediatelysubmit the form again(within 5 seconds I think).I notice the following behaviour:
POST
request that will show the form again (as the form does not validate) responds with aPHPSESSID
cookie, which is expected as the form's values are stored in the session for a short period. However, there is no CSRF token cookie in the response, which I think is unexpected. Whenever there is a session cookie there should always be a CSRF token cookie._contao/captcha/…
. There will be a CSRF token cookie in the response - but there might also be aPHPSESSID=delete
instruction in the response._contao/captcha/…
which then also deletes the CSRF token cookie.I think overall the core issue is that the CSRF token cookie is missing in the response of the POST request.
The text was updated successfully, but these errors were encountered: