View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|13761||Bug reports||[All Projects] Survey taking||public||2018-06-13 10:08||2018-06-18 11:38|
|Target Version||Fixed in Version|
|Summary||13761: CSRF error token - with IE 11|
I encounter the problem of CSRF token which at the beginning was not easy to reproduce.
My default browser was Firefox.
When I tested my questionnaires before activation, or after activation, with or without invitations, no PB!
On the other hand, I had an update that gave as default browser Internet Explorer.
|Steps To Reproduce||Here are the different scenarios to reproduce this error:|
Prerequisites: a questionnaire with an invitation table (and guests lol).
1. IE with a different Tab from LimeSurvey
If Internet Explorer is launched with a first tab other than a limesurvey page, the tests work (click on the link received in the invitation -> open a new tab.)
2. IE with a Tab with LimeSurvey
If you have opened a tab by going to a questionnaire / or administration interface, using the link to participate in a questionnaire opens a new tab. If we start to answer the questionnaire, we will get the CSRF error message.
It will be necessary to close IE, then launch it again with NO tab in connection with limesurvey, before clicking on the link received in the invitation, to be able to answer the questionnaire.
3. IE in default browser - NOT OPEN
If you click on the link received by invitation, IE will open and when you start to fill out the questionnaire, you will get the error message.
Tested on the following versions:
2.62.2 + 170203 -> KO
2.73.1 + 171220 -> KO
2.64.3 + 170327 -> KO
Version 3.9.0 + 180604 -> KO
|Additional Information||@Denis: thanks for the information, this is the session (PHPSESSID) that must be opened by IE when it is launched.|
I added the parameter, but no change for IE (in any case I can open multiple versions in the same browser :))
'session' => array (
'sessionName' => "Dev",
I add the questionnaire that allowed me to do the tests (it is very simple).
I had to disable CSRF management in the config file to allow people to respond.
|Tags||No tags attached.|
|Complete LimeSurvey version number (& build)||3.9.0+180604|
|I will donate to the project if issue is resolved||No|
|Database & DB-Version||Postgresql 9.4|
|Operating System (Server)||Centos 7|
|Webserver software & version||apache 2.4|
CSRF_error_and_sendmail_LimeSurvey_V3.doc (847,872 bytes)
TEST_CSRF_limesurvey_survey_128689.lss (16,759 bytes)
And when you disable CRSF : no issue ? Response is saved ?
With 2 tab on same browser with LimeSurvey, ok can understand, but the biggest issue is « If you click on the link received by invitation, IE will open and when you start to fill out the questionnaire, you will get the error message.»
Maybe related bug : https://github.com/panique/huge/issues/733
Solution is adding / on the CRSF cookie ????
Can you test with
'request' => array(
'csrfCookie' => array(
'path' => '/', // or '/subdir/' if you are on a subdir
'path' => './' // ??? really strange fix …
Take a closer look at https://bugs.limesurvey.org/view.php?id=12083 towards the end of the ticket (https://bugs.limesurvey.org/view.php?id=12083#c42886).
Maybe this will point you in the right direction. Very complex.. I cracked it for the problem I had
|@asshank we try to set session.name to Dev (thanks to your bug report and way to fix) (using Yii), but here : the 2 tab on the same LimeSurvey instance …|
@riqcles and @asshank : can you test with https://gitlab.com/SondagesPro/coreAndTools/sessionNameBySurvey
If it work : i make a pull request for master.
Remind the part with : 'autoStart' => false,
'session' => array (
'autoStart' => false,
'sessionName' => "LimeSurvey",
And if it don't work : try to disable ajax in the survey template option :)
See this issue with Yii2 and pjax : https://www.yiiframework.com/forum/index.php/topic/69079-pjax-with-ie11-and-edge/
Quote: no error whatever
|Ajax is by default ON in vanilla. Shouldn't that be turned off by default in a starter theme?|
@tammo : you do the test : deactivate ajax mode fix the issue with IE11 ?
( i have to setup my VirtualBox instance with IE11, but if you already do the test : great :) )
Really hard to reproduce , i test with https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ msedge Win10 virtual box.
Launch, goes to master.sondages.pro home page. Try with copy/paste link , try 2 different survey at same time etc … not able to have the issue …
I have the https://bugs.limesurvey.org/view.php?id=13761#c48113 fix inside my instance, maybe…
Capture du 2018-06-16 17-21-46.png (141,140 bytes)
Yes, I turned off Ajax in my (child of Vanilla) custom theme.
In Edge the survey now loads OK.
I really think that Ajax is an advanced featured that should be turned off by default and turned on by deliberate action only.
the issue must be fixed
turning off the feature is not a way to fix it.
|2018-06-13 10:08||riqcles||New Issue|
|2018-06-13 10:08||riqcles||File Added: CSRF_error_and_sendmail_LimeSurvey_V3.doc|
|2018-06-13 10:08||riqcles||File Added: TEST_CSRF_limesurvey_survey_128689.lss|
|2018-06-13 11:35||DenisChenu||Note Added: 48076|
|2018-06-13 11:43||DenisChenu||Note Edited: 48076||View Revisions|
|2018-06-13 11:44||DenisChenu||Note Edited: 48076||View Revisions|
|2018-06-13 20:58||asshank||Note Added: 48102|
|2018-06-14 12:43||DenisChenu||Note Added: 48108|
|2018-06-14 16:07||DenisChenu||Note Added: 48113|
|2018-06-14 16:08||DenisChenu||Note Edited: 48113||View Revisions|
|2018-06-15 17:47||DenisChenu||Note Added: 48181|
|2018-06-15 23:36||tammo||Note Added: 48190|
|2018-06-15 23:37||tammo||Note Added: 48191|
|2018-06-16 10:40||DenisChenu||Note Added: 48192|
|2018-06-16 17:20||DenisChenu||Note Added: 48193|
|2018-06-16 17:22||DenisChenu||File Added: Capture du 2018-06-16 17-21-46.png|
|2018-06-17 08:58||tammo||Note Added: 48196|
|2018-06-18 11:18||LouisGac||Assigned To||=> markusfluer|
|2018-06-18 11:18||LouisGac||Status||new => assigned|
|2018-06-18 11:20||LouisGac||Note Added: 48202|
|2018-06-18 11:21||LouisGac||Note Added: 48203|
|2018-06-18 11:38||LouisGac||Note Added: 48204|