Support ⇒ Dragonfly CMS v10 ⇒ v10.0.44.9388: Login cookie changed + CSRF is dead! ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexDragonfly CMS v10

v10.0.44.9388: Login cookie changed + CSRF is dead! Reply to topic


If you wonder why you had to login on this website, it's because the login cookie has changed.

The cookie symmetric encryption salt key was not random enough, so now it uses an additional salt for uniqueness.

Also the cookies has changed with a SameSite parameter.
This is a new feature for cookies that Chrome 66 and Firefox 60 support to prevent cookie hijacking by external code through CSRF.

There is a new class Poodle\HTTP\Cookie to support this cookie parameter as PHP < 7.3 does not support this feature.

Browsers that do not support the SameSite option are still vulnerable for CSRF.

And third: the cookie can have 2048bit asymmetric encryption Smile

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

Last edited by DJ Maze on Thu May 03, 2018 1:27 am; edited 6 times in total


I've figured out a way to do the same for session cookies.
Will be soon available as well.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


Should this be causing people to be logged out all the time? Or is it just meant to secure the cookie properly?

On this site and my own, I have to log in pretty much every time I visit the site.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


Strange, i don't have that problem.
I have an almost static IP and the cookie says:
Content: iWXiNZtjTj7.N7XJJm0UnsWYMY0A8J1VhjYoJ8N1_g0EaLSkxomQ5W5h9syQv7kXM-VTHuiTXfFV Domain: .dragonflycms.org Path: / Send for: Encrypted connections only Expires: October 31, 2018, 7:42:57 PM GMT+1
Could you check yours? (don't post the real "content" of the cookie)

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


I have 3 cookies related to this site:

DF-XXXXXXXXXX
PoodleTimezone
dfmember

I assume it's the dfmember cookie?



Other users on my site are having the same issue.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):

Last edited by hybrid on Mon May 07, 2018 12:40 pm; edited 1 time in total


I've noticed a "domain" bug also in your website cookies.
Could you:
  1. install Dragonfly 10.0.46.9404
  2. clear in your browser the website cookies OR
    1. rename the cookie in Admin => Members => Authentication
    2. login as user
  3. close browser
  4. open browser
Does that fix the issue?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

Last edited by DJ Maze on Mon May 07, 2018 4:51 pm; edited 3 times in total


I have just updated and re-named the cookie.
Wanted to avoid having to delete cookies as I would have to explain how to do that to all the users.

Lets see if that's helped.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


The update seems to have fixed the issue, thanks.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


I'm getting CSRF errors now.

CSRF security failed. Are cookies enabled?


This is happening on desktop and mobile. Multiple browsers (Chrome and Firefox).

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):

All times are UTC


Jump to: