Support ⇒ Dragonfly CMS v10 ⇒ v10.0.44.9388: Login cookie changed + CSRF is dead! (page 2) ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexDragonfly CMS v10

v10.0.44.9388: Login cookie changed + CSRF is dead! Reply to topic


I think I will wait before updating - my users would not handle cookie issues and errors like that very well. I'd go mad trying to assist them LOL.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
[ Linux / Apache 2.2.8 / MySQL 5.0.45 / PHP 5.2.6 / CPG 8.2b - 9.3.4.1]


DJ Maze wrote
I might know where your problem is.
Need to check the source if "session" is IP bound or not.

Yep, found it. The session cookie name used a crc32 of the IP 😬
I've removed it so that people with dynamic IP's can use the site.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


My IP isn't dynamic, but I do log on from different computers.
My CSRF error is there again. The only way I seem to be able to get rid of it is to close the browser and re-open. It then makes me log in again and I can post.

What I don't understand is why it doesn't happen here if the sites are supposed to be the same.

Edit: I've updated to the latest code, so will see if that makes any difference.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):

Last edited by hybrid on Mon Jun 25, 2018 1:36 am; edited 1 time in total


Ok, this time it didn't ask me to log in again after closing the browser, and the CSRF issue is still there.
I will delete cookies again.

Ok, after deleting cookies I'm made to log in again. I log in from the userinfo block and get the message:
"Please enable cookies to post on this site. If you feel that you have reached this message in error please go back to the preceding page and post again"

I hit the back link, log in again and it works.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):

Last edited by hybrid on Mon Jun 25, 2018 1:41 am; edited 1 time in total


hybrid, you have mixed content on your website. It is loading https and http content.
Since the cookies are https restricted your browser might destroy or doesn't send them.
You also might have two DFSESSID cookies (1 http and 1 https).

Maybe that is causing issues?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


The only http content should be content that I can't control, such as external images loading on the forum.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):

Last edited by hybrid on Tue Jun 26, 2018 7:43 am; edited 1 time in total


Ah you are using Chrome.

It's strange that you have two session cookies: DFSESSID and PHPSESSID.
I also notice bid0_(ContentHash/ContentMenu) cookies which are not from Dragonfly CMS.

Are you accidentally using some-sort of proxy?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


PHPSESSID could be from either phpmyadmin or my tracking page.
Maybe I should move the cookie to /mustrack instead of /

After clearing my cookies and logging in to the main page and admin, the site has created these cookies:

DFSESSID
PoodleTimezone
bid0_ContentHash
bid0_ContentMenu
m_admin
m_login

I will try and find where those bid0 cookies are being generated.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


Ok I have moved some cookies around.
I think those bid0_Content cookies are coming from the Content Block?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


DJ Maze wrote
DJ Maze wrote
I might know where your problem is.
Need to check the source if "session" is IP bound or not.

Yep, found it. The session cookie name used a crc32 of the IP 😬
I've removed it so that people with dynamic IP's can use the site.


Did you do that just on this site, or in the bucket as well?
If just here, how did you do it?

My users are getting noisy. Is there a way to revert to how it was previously?
I'm not protecting banking details here, just a forum, so I don't need A Grade cookie security.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


hybrid wrote
I think those bid0_Content cookies are coming from the Content Block?

Not any Content block i know of.
I also don't see a Content block on your website.

hybrid wrote
My users are getting noisy. Is there a way to revert to how it was previously?
I'm not protecting banking details here, just a forum, so I don't need A Grade cookie security.

I understand you don't need A Grade, but something is wrong else it wouldn't fail.

For sessions: open /includes/dragonfly/session/session.php
if (PHP_VERSION_ID < 70300) { $p = session_get_cookie_params(); $p['samesite'] = 'Strict'; // header(\Poodle\HTTP\Cookie::getAsHeader(session_name(), session_id(), $p['lifetime'], $p)); }

Loosen cookies whole website: /includes/poodle/http/cookie.php
if (!empty($options['secure'])) { // $parms[] = 'Secure'; } if (!empty($options['httponly'])) { // $parms[] = 'HttpOnly'; } if (!empty($options['samesite'])) { // $parms[] = 'SameSite='.$options['samesite']; } return 'Set-Cookie: '.implode('; ', $parms);
Keep in mind to enable them one by one again when it works. Then we know which param has issues on your website.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


Content module is called Tech Zone. Block is top right. It is definitely coming from DF.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


DJ Maze wrote

I understand you don't need A Grade, but something is wrong else it wouldn't fail.


But what? It was working perfectly before this cookie change.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


hybrid wrote
Content module is called Tech Zone. Block is top right. It is definitely coming from DF.


Confirmed that the cookies are coming from blocks/block-Content_Menu.php
Having said that, other cookies should not affect DF's login cookie unless they use the same name, surely.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


Did you try modifying /includes/poodle/http/cookie.php like i said above?

That is the cookie change to make it more secure.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

All times are UTC


Jump to: