Support ⇒ Dragonfly CMS v10 ⇒ v10.0.44.9388: Login cookie changed + CSRF is dead! ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexDragonfly CMS v10

v10.0.44.9388: Login cookie changed + CSRF is dead! Reply to topic


If you wonder why you had to login on this website, it's because the login cookie has changed.

The cookie symmetric encryption salt key was not random enough, so now it uses an additional salt for uniqueness.

Also the cookies are changed with a SameSite parameter.
This is a new feature for cookies that Chrome 66 and Firefox 60 support to prevent cookie hijacking by external code through CSRF.

There is a new class Poodle\HTTP\Cookie to support this cookie parameter as PHP < 7.3 does not support this feature.

Browsers that do not support the SameSite option are still vulnerable for CSRF.

And third: the cookie can have 2048bit asymmetric encryption Smile

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

Last edited by DJ Maze on Sun Jun 24, 2018 1:50 pm; edited 7 times in total


I've figured out a way to do the same for session cookies.
Will be soon available as well.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


Should this be causing people to be logged out all the time? Or is it just meant to secure the cookie properly?

On this site and my own, I have to log in pretty much every time I visit the site.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


Strange, i don't have that problem.
I have an almost static IP and the cookie says:
Content: iWXiNZtjTj7.N7XJJm0UnsWYMY0A8J1VhjYoJ8N1_g0EaLSkxomQ5W5h9syQv7kXM-VTHuiTXfFV Domain: .dragonflycms.org Path: / Send for: Encrypted connections only Expires: October 31, 2018, 7:42:57 PM GMT+1
Could you check yours? (don't post the real "content" of the cookie)

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


I have 3 cookies related to this site:

DF-XXXXXXXXXX
PoodleTimezone
dfmember

I assume it's the dfmember cookie?



Other users on my site are having the same issue.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):

Last edited by hybrid on Mon May 07, 2018 12:40 pm; edited 1 time in total


I've noticed a "domain" bug also in your website cookies.
Could you:
  1. install Dragonfly 10.0.46.9404
  2. clear in your browser the website cookies OR
    1. rename the cookie in Admin => Members => Authentication
    2. login as user
  3. close browser
  4. open browser
Does that fix the issue?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

Last edited by DJ Maze on Mon May 07, 2018 4:51 pm; edited 3 times in total


I have just updated and re-named the cookie.
Wanted to avoid having to delete cookies as I would have to explain how to do that to all the users.

Lets see if that's helped.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


The update seems to have fixed the issue, thanks.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


I'm getting CSRF errors now.

CSRF security failed. Are cookies enabled?


This is happening on desktop and mobile. Multiple browsers (Chrome and Firefox).

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


But not on this website so it might be a template issue?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


Possibly, but still having to log in often here.
Which parts of the template have to do with that CSRF error?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


hybrid wrote
Possibly, but still having to log in often here.

I've disabled the cookie "IP Protection". It was turned on 🙈

hybrid wrote
Which parts of the template have to do with that CSRF error?

Depends: does the login throw that error, or something else?

Also the logs at /?admin&op=log might tell you something, like:
PID Incorrect, was a6dc48595f9a9ae2f8436952f12520ab now:25235aa26fe8ef5cfbfbdda07e36cdf1
The PID is:
md5( substr($_SERVER['HTTP_USER_AGENT'], 0, strpos($_SERVER['HTTP_USER_AGENT'],')')) . json_encode(\Poodle\UserAgent::getInfo()) )
For your user agent:

This is:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36 Mozilla/5.0 (Windows NT 10.0; Win64; x64{"name":"chrome","version":66,"bot":false,"engine":{"name":"webkit","version":537.36},"OS":{"name":"windows","version":10}} 25235aa26fe8ef5cfbfbdda07e36cdf1
So i have no clue why you had a6dc48595f9a9ae2f8436952f12520ab

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


I'm still having cookie issues, particularly when I try to post to the forums.
Right now on my site I'm getting the CSRF error.

"CSRF security failed. Are cookies enabled?"

I don't see any errors in the log when I try to post.
I have other users who tell me they have to log in every time they switch from WiFi to mobile data - so I assume IP address changes. But IP Protection is disabled in my settings.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


My cookies looked really strange. I seemed to have multiples of the same cookie for the website.
I've cleared them all out now, so will see how that goes.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


I might know where your problem is.
Need to check the source if "session" is IP bound or not.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

All times are UTC


Jump to: