View Issue Details

This bug affects 1 person(s).
 10
IDProjectCategoryView StatusLast Update
13761Bug reportsSurvey takingpublic2020-03-09 15:36
Reporterriqcles Assigned Tomarkusfluer 
PrioritynoneSeveritypartial_block 
Status closedResolutionfixed 
Product Version3.9.x 
Fixed in Version3.17.x 
Summary13761: CSRF error token - with IE 11
Description

Hello,
I encounter the problem of CSRF token which at the beginning was not easy to reproduce.

My default browser was Firefox.
When I tested my questionnaires before activation, or after activation, with or without invitations, no PB!

On the other hand, I had an update that gave as default browser Internet Explorer.

Steps To Reproduce

Here are the different scenarios to reproduce this error:

Prerequisites: a questionnaire with an invitation table (and guests lol).

  1. IE with a different Tab from LimeSurvey

If Internet Explorer is launched with a first tab other than a limesurvey page, the tests work (click on the link received in the invitation -> open a new tab.)

  1. IE with a Tab with LimeSurvey

If you have opened a tab by going to a questionnaire / or administration interface, using the link to participate in a questionnaire opens a new tab. If we start to answer the questionnaire, we will get the CSRF error message.

It will be necessary to close IE, then launch it again with NO tab in connection with limesurvey, before clicking on the link received in the invitation, to be able to answer the questionnaire.

  1. IE in default browser - NOT OPEN

If you click on the link received by invitation, IE will open and when you start to fill out the questionnaire, you will get the error message.

Tested on the following versions:
2.62.2 + 170203 -> KO
2.73.1 + 171220 -> KO
2.64.3 + 170327 -> KO

Version 3.9.0 + 180604 -> KO

Additional Information

@Denis: thanks for the information, this is the session (PHPSESSID) that must be opened by IE when it is launched.

I added the parameter, but no change for IE (in any case I can open multiple versions in the same browser :))

'session' => array (
'sessionName' => "Dev",
)

I add the questionnaire that allowed me to do the tests (it is very simple).

I had to disable CSRF management in the config file to allow people to respond.

TagsNo tags attached.
Attached Files
Bug heat10
Complete LimeSurvey version number (& build)3.9.0+180604
I will donate to the project if issue is resolvedNo
BrowserIE11
Database type & versionPostgresql 9.4
Server OS (if known)Centos 7
Webserver software & version (if known)apache 2.4
PHP Version5.6

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2018-06-13 11:35

developer   ~48076

Last edited: 2018-06-13 11:44

And when you disable CRSF : no issue ? Response is saved ?

With 2 tab on same browser with LimeSurvey, ok can understand, but the biggest issue is « If you click on the link received by invitation, IE will open and when you start to fill out the questionnaire, you will get the error message.»

:/

Maybe related bug : https://github.com/panique/huge/issues/733
Solution is adding / on the CRSF cookie ????

Can you test with
'request' => array(
'csrfCookie' => array(
'path' => '/', // or '/subdir/' if you are on a subdir
)
),

OR
'path' => './' // ??? really strange fix …

asshank

asshank

2018-06-13 20:58

reporter   ~48102

Take a closer look at https://bugs.limesurvey.org/view.php?id=12083 towards the end of the ticket (https://bugs.limesurvey.org/view.php?id=12083#c42886).
Maybe this will point you in the right direction. Very complex.. I cracked it for the problem I had

DenisChenu

DenisChenu

2018-06-14 12:43

developer   ~48108

@asshank we try to set session.name to Dev (thanks to your bug report and way to fix) (using Yii), but here : the 2 tab on the same LimeSurvey instance …

DenisChenu

DenisChenu

2018-06-14 16:07

developer   ~48113

Last edited: 2018-06-14 16:08

@riqcles and @asshank : can you test with https://gitlab.com/SondagesPro/coreAndTools/sessionNameBySurvey

If it work : i make a pull request for master.

Remind the part with : 'autoStart' => false,
'session' => array (
'autoStart' => false,
'sessionName' => "LimeSurvey",
),

DenisChenu

DenisChenu

2018-06-15 17:47

developer   ~48181

And if it don't work : try to disable ajax in the survey template option :)

See this issue with Yii2 and pjax : https://www.yiiframework.com/forum/index.php/topic/69079-pjax-with-ie11-and-edge/

tammo

tammo

2018-06-15 23:36

developer   ~48190

https://www.yiiframework.com/forum/index.php/topic/69079-pjax-with-ie11-and-edge/

Quote: no error whatever

tammo

tammo

2018-06-15 23:37

developer   ~48191

Ajax is by default ON in vanilla. Shouldn't that be turned off by default in a starter theme?

DenisChenu

DenisChenu

2018-06-16 10:40

developer   ~48192

@tammo : you do the test : deactivate ajax mode fix the issue with IE11 ?
( i have to setup my VirtualBox instance with IE11, but if you already do the test : great :) )

DenisChenu

DenisChenu

2018-06-16 17:20

developer   ~48193

Really hard to reproduce , i test with https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ msedge Win10 virtual box.

Launch, goes to master.sondages.pro home page. Try with copy/paste link , try 2 different survey at same time etc … not able to have the issue …

I have the https://bugs.limesurvey.org/view.php?id=13761#c48113 fix inside my instance, maybe…

tammo

tammo

2018-06-17 08:58

developer   ~48196

Yes, I turned off Ajax in my (child of Vanilla) custom theme.

In Edge the survey now loads OK.

I really think that Ajax is an advanced featured that should be turned off by default and turned on by deliberate action only.

LouisGac

LouisGac

2018-06-18 11:20

developer   ~48202

the issue must be fixed
turning off the feature is not a way to fix it.

LouisGac

LouisGac

2018-06-18 11:21

developer   ~48203

https://www.limesurvey.org/forum/installation-a-update-issues/115573-survey-loops-round-to-start-without-confirming-completion

LouisGac

LouisGac

2018-06-18 11:38

developer   ~48204

https://www.limesurvey.org/forum/installation-a-update-issues/115575-commit-0f710b3-breaks-mantarory-questions-that-are-only-shown-via-em

riqcles

riqcles

2018-06-21 11:08

reporter   ~48256

@Denis .
I tried but the plugins do not want to work, I'm looking for why.

DenisChenu

DenisChenu

2018-06-21 12:09

developer   ~48260

Last edited: 2018-06-21 12:10

« turning off the feature is not a way to fix it. » since this “feature” broke a lot of another feature … maybe it's not a feature …

Currently : if an user have 3.X with production survey : it's better if this “feature” is disabled

And : sometimes : some dev remove working feature … without any reason …

riqcles

riqcles

2018-06-21 17:23

reporter   ~48269

ok sessionNameBySurvey-master , must remove "-master" and i have the plugin.

I try but still ko

riqcles

riqcles

2018-06-28 11:04

reporter   ~48357

@tammo : can you try on IE11 (find on programm : iexplore) ?

Issue History

Date Modified Username Field Change
2018-06-13 10:08 riqcles New Issue
2018-06-13 10:08 riqcles File Added: CSRF_error_and_sendmail_LimeSurvey_V3.doc
2018-06-13 10:08 riqcles File Added: TEST_CSRF_limesurvey_survey_128689.lss
2018-06-13 11:35 DenisChenu Note Added: 48076
2018-06-13 11:43 DenisChenu Note Edited: 48076
2018-06-13 11:44 DenisChenu Note Edited: 48076
2018-06-13 20:58 asshank Note Added: 48102
2018-06-14 12:43 DenisChenu Note Added: 48108
2018-06-14 16:07 DenisChenu Note Added: 48113
2018-06-14 16:08 DenisChenu Note Edited: 48113
2018-06-15 17:47 DenisChenu Note Added: 48181
2018-06-15 23:36 tammo Note Added: 48190
2018-06-15 23:37 tammo Note Added: 48191
2018-06-16 10:40 DenisChenu Note Added: 48192
2018-06-16 17:20 DenisChenu Note Added: 48193
2018-06-16 17:22 DenisChenu File Added: Capture du 2018-06-16 17-21-46.png
2018-06-17 08:58 tammo Note Added: 48196
2018-06-18 11:18 LouisGac Assigned To => markusfluer
2018-06-18 11:18 LouisGac Status new => assigned
2018-06-18 11:20 LouisGac Note Added: 48202
2018-06-18 11:21 LouisGac Note Added: 48203
2018-06-18 11:38 LouisGac Note Added: 48204
2018-06-21 11:08 riqcles Note Added: 48256
2018-06-21 12:09 DenisChenu Note Added: 48260
2018-06-21 12:10 DenisChenu Note Edited: 48260
2018-06-21 17:23 riqcles Note Added: 48269
2018-06-28 11:04 riqcles Note Added: 48357
2019-09-05 15:07 markusfluer Status assigned => resolved
2019-09-05 15:07 markusfluer Resolution open => fixed
2019-09-05 15:07 markusfluer Fixed in Version => 3.17.x
2020-03-09 15:36 c_schmitz Status resolved => closed