Urgent CSRF issue #11364
Replies: 3 comments
-
I'm using Play 2.8 and I don't use SecureSocial so I won't be of much help, but I can provide a few sanity checks:
Best of luck! |
Beta Was this translation helpful? Give feedback.
-
@risenhoover To be honest, since we don't support Play 2.7.x anymore, I highly recommend to upgrade to latest Play 2.8.x, as our resources are limited right now and we don't have time to look into the 2.7.x code base anymore. As far as I remember there have been CSRF fixes that made it into 2.8.x, so your problem might already be fixed. |
Beta Was this translation helpful? Give feedback.
-
This happens for many reasons
Basically for these reasons this problem happens , I saw. |
Beta Was this translation helpful? Give feedback.
-
Play Framework 2.7.9 -> As of three days ago, we started getting reports of people not being able to login, even if they present valid credentials. Upon investigation, they were getting the gray "unauthorized" page provided by the Framework. This happens with various people but others are able to login without issues. We use SecureSocial for authentication and authorization.
The log reports the following message: "[warn] - play.filters.CSRF - [CSRF] Check failed because no token found in headers for /auth/authenticate/userpass"
Additionally, if we open a private window, we can reproduce this error ad infinitum - it's never possible to login and get past the CSRF check and failure. We are also able to see this same issue on other forms protected by CSRF token, in particular our payment page :(.
I have verified that the login page does in fact have a CSRF token in the form, and it is being submitted properly. What is strange is that if you look at the message and the source ( https://github.com/playframework/playframework/blob/d8ebf7cbdb8d360ee499333cc853de708a9eac49/web/play-filters-helpers/src/main/scala/play/filters/csrf/CSRFActions.scala )
it says "NO TOKEN FOUND" - so somewhere somehow this token is getting lost in transit.
Beta Was this translation helpful? Give feedback.
All reactions