19292: The CSRF token could not be verified error with Chrome and Edge when embedding a survey in an external domain

This bug affects 1 person(s).

254

ID	Project	Category	View Status	Date Submitted	Last Update

19292	Bug reports	Security	public	2023-11-29 13:03	2023-11-30 01:39

Reporter	ndespujol	Assigned To	DenisChenu
Priority	none	Severity	partial_block
Status	closed	Resolution	no change required
Product Version	5.6.x

Summary	19292: The CSRF token could not be verified error with Chrome and Edge when embedding a survey in an external domain
Description	When embedding a survey in a different domain (as an example one from encuestapre.upv.es in edx.org) and accesing it with Chrome or Edge, the first page of the survey is shown but when you click the continue button you get a "The CSRF token could not be verified" error. This does not happen with Firefox. In the server's config.php the following lines are already added: 'session' => array ( 'sessionName'=>'LS-XPNKDNNZCZVWLVVJA', 'cookieParams' => array( 'secure' => true, 'httponly' => true, 'sameSite' => 'None', `), ), 'request' => array( 'enableCsrfValidation'=>true, 'csrfCookie' => array( 'sameSite' => 'None', 'secure' => true, ), ),` I have checked with the debugger of the browsers that the cookies LS-XPNKDNNZCZVWLVVJA and YII_CSRF_TOKEN are loaded in Firefox and not loaded in Chrome or Edge when the survey is embedded. If I load the survey (https://encuesta.upv.es/index.php/185391?token=2735133&newtest=Y) directly in Chrome and Edge I can see that both cookies are loaded and that the SameSite attribute is not set. If I change the lines 'sameSite' => 'None', to 'SameSite' => 'None', in the config.php file I get a 500 error in the embedded surveys "An exception has been thrown during the rendering of a template ("La propiedad "CHttpCookie"."SameSite" no se encuentra definida.")." but I can see that the two cookies are loaded in both browsers (still with the property SameSite not set). If I load the survey directly in Chrome and Edge I don't get the error and the SameSite property is still don't set. I think that there is an error in the name of the property and that if it is called SameSite instead of sameSite the embedding will work properly in all browsers.
Steps To Reproduce	Embed https://encuesta.upv.es/index.php/185391?token=2735133&newtest=Y, or any other survey with several pages from a server with 'enableCsrfValidation'=>true, in a different domain and try to advance to the second page in Chrome or Edge Expected result You should advance to the second page Actual result You get a "The CSRF token could not be verified" error
Tags	No tags attached.

Bug heat	254
Complete LimeSurvey version number (& build)	Versión 5.6.38+230919
I will donate to the project if issue is resolved	No
Browser	Chrome, Edge
Database type & version	mysql Ver 15.1 Distrib 10.3.39-MariaDB, for Linux (x86_64) using readline 5.1
Server OS (if known)	Rocky Linux release 8.9 (Green Obsidian)
Webserver software & version (if known)	Apache/2.4.37 (rocky) Server built: Aug 17 2023 23:57:25
PHP Version	PHP 7.2.24 (cli) (built: Oct 22 2019 08:28:36)

User List	There are no users monitoring this issue.

DenisChenu 2023-11-29 15:24 developer ~78803 Last edited: 2023-11-29 15:29	It's not a working warranty : forum only (i put a warning in manual in some minutes) Else : https://www.sondages.pro/iframe/ tested in Chrome (broken if you disable external cookies) tested on Edge Case pf each samesite are different : https://manual.limesurvey.org/Optional_settings#Allow_usage_of_session_and_Csrf_Validation_in_iFrame_.28New_in_3.24.3_.29 'samesite' => 'None', for cookieParams 'SameSite' => 'None', for csrf

ndespujol 2023-11-30 01:39 reporter ~78814	Thank you very much, in my case it still didn't work because we have php version 7.2.4 and the Session cookie got the samesite value to None but the csrf token didn't. After comparing the two files, I have seen that in the CHttpSession.php there is a workaround incorporated for older versions of php that is not incorporated in CHttpRequest.php. I have added the same workaround to CHttpRequest.php and now it works ok. The workaround is in addCookie function and the modified fuction code is protected function addCookie($cookie) { $value=$cookie->value; if($this->_request->enableCookieValidation) $value=Yii::app()->getSecurityManager()->hashData(serialize($value)); if(version_compare(PHP_VERSION,'7.3.0','>=')) setcookie($cookie->name,$value,$this->getCookieOptions($cookie)); elseif(version_compare(PHP_VERSION,'5.2.0','>=')) { // Work around for setting sameSite cookie prior PHP 7.3 // https://stackoverflow.com/questions/39750906/php-setcookie-samesite-strict/46971326#46971326 //Added by ndespujol `$pathcookie=$cookie->path. '; samesite='.$cookie->sameSite; setcookie($cookie->name,$value,$cookie->expire,$pathcookie,$cookie->domain,$cookie->secure,$cookie->httpOnly); } else setcookie($cookie->name,$value,$cookie->expire,$cookie->path,$cookie->domain,$cookie->secure); }` This same function is included also in yiilite.php, but I have not seen any impact in changing it, so I assume this file is not used in limesurvey, I have also discovered that both the Session and the Request samesite attributes could be normalized to the same "samesite" by changing the public $sameSite=self::SAME_SITE_LAX; to public $samesite=self::SAME_SITE_LAX; in the CHttpCookie.php file That would need to change also the GetCookieOptions function corresponding parameter name at the end of the file CHttpRequest.php (the same holds for yiilite.php).

Date Modified	Username	Field	Change
2023-11-29 13:03	ndespujol	New Issue
2023-11-29 15:24	DenisChenu	Note Added: 78803
2023-11-29 15:24	DenisChenu	Bug heat	250 => 252
2023-11-29 15:24	DenisChenu	Assigned To	=> DenisChenu
2023-11-29 15:24	DenisChenu	Status	new => closed
2023-11-29 15:24	DenisChenu	Resolution	open => no change required
2023-11-29 15:29	DenisChenu	Note Edited: 78803
2023-11-30 01:39	ndespujol	Note Added: 78814
2023-11-30 01:39	ndespujol	Bug heat	252 => 254

View Issue Details

Expected result

Actual result

Users monitoring this issue

Activities

Issue History