View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|13761||Bug reports||[All Projects] Survey taking||public||2018-06-13 10:08||2019-09-05 15:07|
|Target Version||Fixed in Version||3.17.x|
|Summary||13761: CSRF error token - with IE 11|
My default browser was Firefox.
On the other hand, I had an update that gave as default browser Internet Explorer.
|Steps To Reproduce|
Here are the different scenarios to reproduce this error:
Prerequisites: a questionnaire with an invitation table (and guests lol).
If Internet Explorer is launched with a first tab other than a limesurvey page, the tests work (click on the link received in the invitation -> open a new tab.)
If you have opened a tab by going to a questionnaire / or administration interface, using the link to participate in a questionnaire opens a new tab. If we start to answer the questionnaire, we will get the CSRF error message.
It will be necessary to close IE, then launch it again with NO tab in connection with limesurvey, before clicking on the link received in the invitation, to be able to answer the questionnaire.
If you click on the link received by invitation, IE will open and when you start to fill out the questionnaire, you will get the error message.
Tested on the following versions:
Version 3.9.0 + 180604 -> KO
@Denis: thanks for the information, this is the session (PHPSESSID) that must be opened by IE when it is launched.
I added the parameter, but no change for IE (in any case I can open multiple versions in the same browser :))
'session' => array (
I add the questionnaire that allowed me to do the tests (it is very simple).
I had to disable CSRF management in the config file to allow people to respond.
|Tags||No tags attached.|
|Complete LimeSurvey version number (& build)||3.9.0+180604|
|I will donate to the project if issue is resolved||No|
|Database & DB-Version||Postgresql 9.4|
|Server OS (if known)||Centos 7|
|Webserver software & version (if known)||apache 2.4|
CSRF_error_and_sendmail_LimeSurvey_V3.doc (847,872 bytes)
TEST_CSRF_limesurvey_survey_128689.lss (16,759 bytes)
And when you disable CRSF : no issue ? Response is saved ?
With 2 tab on same browser with LimeSurvey, ok can understand, but the biggest issue is « If you click on the link received by invitation, IE will open and when you start to fill out the questionnaire, you will get the error message.»
Maybe related bug : https://github.com/panique/huge/issues/733
Can you test with
Take a closer look at https://bugs.limesurvey.org/view.php?id=12083 towards the end of the ticket (https://bugs.limesurvey.org/view.php?id=12083#c42886).
@asshank we try to set session.name to Dev (thanks to your bug report and way to fix) (using Yii), but here : the 2 tab on the same LimeSurvey instance …
@riqcles and @asshank : can you test with https://gitlab.com/SondagesPro/coreAndTools/sessionNameBySurvey
If it work : i make a pull request for master.
Remind the part with : 'autoStart' => false,
And if it don't work : try to disable ajax in the survey template option :)
See this issue with Yii2 and pjax : https://www.yiiframework.com/forum/index.php/topic/69079-pjax-with-ie11-and-edge/
Quote: no error whatever
Ajax is by default ON in vanilla. Shouldn't that be turned off by default in a starter theme?
@tammo : you do the test : deactivate ajax mode fix the issue with IE11 ?
Really hard to reproduce , i test with https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ msedge Win10 virtual box.
Launch, goes to master.sondages.pro home page. Try with copy/paste link , try 2 different survey at same time etc … not able to have the issue …
I have the https://bugs.limesurvey.org/view.php?id=13761#c48113 fix inside my instance, maybe…
Capture du 2018-06-16 17-21-46.png (141,140 bytes)
Yes, I turned off Ajax in my (child of Vanilla) custom theme.
In Edge the survey now loads OK.
I really think that Ajax is an advanced featured that should be turned off by default and turned on by deliberate action only.
the issue must be fixed
« turning off the feature is not a way to fix it. » since this “feature” broke a lot of another feature … maybe it's not a feature …
Currently : if an user have 3.X with production survey : it's better if this “feature” is disabled
And : sometimes : some dev remove working feature … without any reason …
ok sessionNameBySurvey-master , must remove "-master" and i have the plugin.
I try but still ko
@tammo : can you try on IE11 (find on programm : iexplore) ?
|2018-06-13 10:08||riqcles||New Issue|
|2018-06-13 10:08||riqcles||File Added: CSRF_error_and_sendmail_LimeSurvey_V3.doc|
|2018-06-13 10:08||riqcles||File Added: TEST_CSRF_limesurvey_survey_128689.lss|
|2018-06-13 11:35||DenisChenu||Note Added: 48076|
|2018-06-13 11:43||DenisChenu||Note Edited: 48076||View Revisions|
|2018-06-13 11:44||DenisChenu||Note Edited: 48076||View Revisions|
|2018-06-13 20:58||asshank||Note Added: 48102|
|2018-06-14 12:43||DenisChenu||Note Added: 48108|
|2018-06-14 16:07||DenisChenu||Note Added: 48113|
|2018-06-14 16:08||DenisChenu||Note Edited: 48113||View Revisions|
|2018-06-15 17:47||DenisChenu||Note Added: 48181|
|2018-06-15 23:36||tammo||Note Added: 48190|
|2018-06-15 23:37||tammo||Note Added: 48191|
|2018-06-16 10:40||DenisChenu||Note Added: 48192|
|2018-06-16 17:20||DenisChenu||Note Added: 48193|
|2018-06-16 17:22||DenisChenu||File Added: Capture du 2018-06-16 17-21-46.png|
|2018-06-17 08:58||tammo||Note Added: 48196|
|2018-06-18 11:18||LouisGac||Assigned To||=> markusfluer|
|2018-06-18 11:18||LouisGac||Status||new => assigned|
|2018-06-18 11:20||LouisGac||Note Added: 48202|
|2018-06-18 11:21||LouisGac||Note Added: 48203|
|2018-06-18 11:38||LouisGac||Note Added: 48204|
|2018-06-21 11:08||riqcles||Note Added: 48256|
|2018-06-21 12:09||DenisChenu||Note Added: 48260|
|2018-06-21 12:10||DenisChenu||Note Edited: 48260||View Revisions|
|2018-06-21 17:23||riqcles||Note Added: 48269|
|2018-06-28 11:04||riqcles||Note Added: 48357|
|2019-09-05 15:07||markusfluer||Status||assigned => resolved|
|2019-09-05 15:07||markusfluer||Resolution||open => fixed|
|2019-09-05 15:07||markusfluer||Fixed in Version||=> 3.17.x|