Unable To Verify Your Data Submission
💣 👉🏻👉🏻👉🏻 ALL INFORMATION CLICK HERE 👈🏻👈🏻👈🏻
cluwong opened this issue
May 18, 2018
· 25 comments
samdark
added
the
status:need more info
label
May 20, 2018
// layouts/main.php
$ js = <<< JS
(function() {
var send = XMLHttpRequest.prototype.send,
token = document.getElementsByTagName('meta')['csrf-token'].content;
XMLHttpRequest.prototype.send = function() {
this.setRequestHeader('X-CSRF-Token', token);
return send.apply(this, arguments);
};
}());
JS ;
$ this -> register ( $ js , \yii\web\ View :: POS_HEAD );
samdark
added
the
type:bug
label
Jun 17, 2018
samdark
added this to the 2.0.17 milestone
Jun 17, 2018
samdark
removed
the
status:need more info
label
Jun 17, 2018
'user' => [
'class' => 'common\components\SsoUser',
'identityClass' => 'common\models\User',
'enableAutoLogin' => true,
'enableSession' => true,
'identityCookie' => [
'name' => '_identity',
'httpOnly' => true,
'domain' => '.xxxx.com',
],
],
'session' => [
'name' => 'session-frontend',
'cookieParams' => [
'domain' => '.xxxx.com',
'httpOnly' => true,
],
],
samdark
removed this from the 2.0.17 milestone
Mar 20, 2019
samdark
mentioned this issue
Sep 24, 2020
samdark
mentioned this issue
Feb 12, 2021
Sign up for free
to join this conversation on GitHub .
Already have an account?
Sign in to comment
© 2021 GitHub, Inc.
Terms
Privacy
Security
Status
Docs
Contact GitHub
Pricing
API
Training
Blog
About
Posting a form or post a link where data-method="POST"
yii\web\BadRequestHttpException: Unable to verify your data submission. in /var/www/my.uhub.biz/vendor/yiisoft/yii2/web/Controller.php:166
Not sure if this is related to a previously submitted issue ( #15783 ) or it's new. Since that issue was fixed and the project was updated to V2.0.15.1, I still get this error sometimes. The problem is it's not always reproducible and it's hard to pinpoint the problem.
I have checked data in cookies, sesseions and post and can't spot anything. Let me know if you need more info or what else to check.
The csrf token is different for the environments, could you confirm that the csrf cookie is not shared between those domains?
The csrf cookie is not shared. It's stored in the subdomain.
You share sessions right? Could it be that one site is updating the csrf in the session, thereby invalidating the value for the other domain? (I don't remember if csrf uses the session)
Thanks for posting in our issue tracker.
In order to properly assist you, we need additional information:
This is an automated comment, triggered by adding the label status:need more info .
I went back to V2.0.13.3 and tested, I don't see this problem - don't get the random 'Unable to verify your data submission error', and tested switched between posting data in dev and prod site, no problem.
V2.0.14.2 and V2.0.15.1 gets random error. Switching site also gets the error.
The switch site problem can be reproduced: simply display a form with single field, and post the form. Then go to the other site and go to the same form, you get the error, then reload the form and post again, the data is posted (only quite rarely the form can't be posted.)
But for the random problem that happens within the same site, it's very random, sometimes the the form can't be post no matter how many time you reload it, then suddenly it's posted.
I have compare session and cookies for V2.0.15 and V2.0.13 but can't spot what's wrong, unless it's hidden behind the random generated strings.
If more info required, can you point me towards the right direction what to look for?
It seems the previous ticket ( #15783 ) is not entirely fixed. There must be some change to V2.0.14 causing this.
Do you know what's the reason of Unable to verify your data submission somehow via debugging?
I am experiencing similar issue which occurs right after I logout and instantly try to login back - I also get Unbale to verify submission data . It seems that cookie CSRF token won't get refreshed after user identity reneval, but I have to investigate more to confirm.
Not sure if it is related... I find that this issue occurs for AJAX Requests on latest jQuery releases like 3.2.x. Probably the $.ajaxPrefilter used by yii.js does not seem to be executed properly - as the X-CSRF-TOKEN does not seem to be passed with the ajax request headers.
I included this JS hack (without any jquery dependency) on my main layout view file to get the ajax requests properly send the X-CSRF-TOKEN and avoid the 400 submission error.
I think I've found the root of the problem but don't know how to fix it.
Since V2.0.14, csrf token is regenerated in login() function, hence I'm getting this problem since this version.
As mentioned both are in subdomain and uses SSO login. When site A is loaded, the identity cookie for Site B is lost (it's still in $_COOKIE but not in Yii::$app->request->cookies) and vice versa - hence it tries to login again and got a new csrf token, which results in 'Unable to verify your data submission' error when posting the data.
In this particular test scenario, one site is dev and one site is prod hence the configs are the same.
In SsoUser.php, which extends yii\web\User, I have extended login() and set the default duration to 3600. How come the cookie didn't persist but lost? Is it a bug or something wrong with my config?
How come the cookie didn't persist but lost?
Session cookie is meant to expire. You need "remember me" in order to keep logged in state. Chrome does weird things with persisting cookies but it's even against RFCs. But that's not your case.
When site A is loaded, the identity cookie for Site B is lost (it's still in $_COOKIE but not in Yii::$app->request->cookies) and vice versa
That means that A uses same cookie name as B and overwrites it. You need to separate these cookies via config.
Isn't setting the duration in login() = remember me?
I have a different Yii2 project under different subdomain, with different cookie names is causing the same issue.
I did a test on my dev and prod site. Display a page which displays the content of Yii::$app->request->cookies. Changed cookie names for crsf, identity and session with suffiix '-dev' for the dev site.
Open chrome. Clear all cookies. Open a tab to the login site to login.
Open a new tab to go to dev site and to the cookies page. On first load, no identity cookie. On subsequent reloads, identity cookie is displayed.
Open another tab to go to prod site, display any pages.
Go back to the dev tab. Reload. Identity cookie is lost. Reload, it's back, and continue be there until I reload the page in prod tab.
Now they have different cookie names. Overwrite shouldn't happen here?
Facing same issue "Не удалось проверить переданные данные."
Althogh, in logs I can see, that both CSRF cookie and CSRF Header has been sent by user
I think that this may happen due to session expiration.
User's session is expired, he relogins on one page, but other page is cached in browser and contains old session data.
Then user have invalid csrf token on cached page
@cluwong no, it should not. That's super-weird. Am I right that these two website are totally not connected? Separate databases, separate domains (not sub-domains of same domain), separate session storage?
@samdark Would it not be better to revert the commit which caused these issues (csrf token is regenerated in login() function), until better solution found? Already confirmed by multiple users ...
Sorry my bad. I forgot to run the console command to apply the changes and wasn't paying attention to the cookie names. Identity cookie persists when switching between sites when they have different names.
I thought with SSO, by setting the domain, the cookie is available for all subdomains, hence the same cookie name was used so they have the same identity info shared by the subdomains.
So with cookie names, should all 3 cookies have different names? (Although my tests show that only identity cookie needs to be different to prevent this error). Will there be any adverse hidden effects if csrf and session cookies are the same?
Perhaps docs should also be updated about different cookie names too.
If you want no interference — yes. They all should have different names. You may want these to have same cookies if your intent is to be authenticated at subdomains automatically.
I think that this may happen due to session expiration.
User's session is expired, he relogins on one page, but other page is cached in browser and contains old session data.
Then user have invalid csrf token on cached page
I confirm this type of problem. Typical scenario:
@DmLapin It's a side effect of fixing security issue .
Were able to reproduce his case as a user.
It's XMLHttpRequest on a particular page.
Welp, in my case, I was using PageCache which was caching a csrf value..
Oddly enough, I never experienced the problem on my end, with pages not cached by me.
Disabled the cache and waiting for more logs to confirm that I'm a 🤡
Successfully merging a pull request may close this issue.
mbman opened this issue
Jul 28, 2014
· 49 comments
samdark
added
type:bug
labels
Jul 28, 2014
samdark
added this to the 2.0 RC milestone
Jul 28, 2014
cebe
removed this from the 2.0 RC milestone
Jul 28, 2014
cebe
reopened this
Jul 28, 2014
cebe
added this to the 2.0 RC milestone
Jul 29, 2014
qiangxue
mentioned this issue
Jul 29, 2014
samdark
added
severity:important
and removed
status:to be verified
labels
Jul 29, 2014
samdark
assigned
samdark and unassigned
samdark
Jul 29, 2014
samdark
self-assigned this
Jul 29, 2014
array (size=3)
'_identity' => string 'a856387a22edee80aed59ef85fef670ba09878469941e9bb0c0f5f26f5ec1480s:46:"[1,"Ts3tQePZVtoNzS_EdKEV9Ofxn7RpQF6L",2592000]";' (length=118)
'PHPSESSID' => string 'eu82n5eds0pr95dpok77v7p200' (length=26)
'_csrf' => string '‚08ćĘŮPüśĹO�ŃŐâT�á�…†Bś�eµâ�? Fs:32:"UwXqTJ63PJlpJEk13QuvQ8ye-WM2LwCe";' (length=72)
10 hidden items
Load more…
$_POST = [
'_csrf' => 'MnhwRE13c0lKECIKD09HMGozBwx1Axh6Yyk7EQgTQD9TEyAjOx9GcQ=='
'Account' => [
'name' => '...'
'password' => '...'
'rememberMe' => '1'
]
]
$_COOKIE = [
'_csrf' => '4558ce18737862b0acc221aef149bd36b66d17c6bc1fd7b23b93d458d7126f34s:32:\"xhRNB84yXKwH8tk3QQKUEd3vakPgvh58\";'
]
$_SERVER = [
...
'HTTP_COOKIE' => '_csrf=4558ce18737862b0acc221aef149bd36b66d17c6bc1fd7b23b93d458d7126f34s%3A32%3A%22xhRNB84yXKwH8tk3QQKUEd3vakPgvh58%22%3B'
...
]
$_POST: NUMyTEo2ODRmDmcVA05CW010BC47QFV5YhBVE3ldSgdbOgIeLwFJeA==
$_COOKIE: 1fc0738c337cd4eddab5c35a9280dfacc7f73aea1fbf11d3f5453ccf61c2e5e4s:32:\"SMUYIxzox76bqvmMWSg_3kr3ny0Re7qL\";
samdark
reopened this
Jul 30, 2014
samdark
mentioned this issue
Jul 30, 2014
samdark
closed this
in
94dc27a
Jul 30, 2014
Merge pull request #4524 from mbman/bugfix-4497
…
kartik-v
mentioned this issue
Oct 28, 2014
class View extends \yii\web\ View {
public function endPage ( $ ajaxMode = false )
{
\ Yii :: $ app -> getResponse ()-> sendCookies ();
parent :: endPage ( $ ajaxMode );
}
}
yiisoft
locked and limited conversation to collaborators
Jan 18, 2015
Sign up for free
to subscribe to this conversation on GitHub .
Already have an account?
Sign in .
© 2021 GitHub, Inc.
Terms
Privacy
Security
Status
Docs
Contact GitHub
Pricing
API
Training
Blog
About
Updated my advanced app to latest Yii using Composer some 12 hours ago (previous update was maybe a day earlier), and since then all forms stopped working.
It seems Yii can't validate the csrf cookie it generates.
I remember this error too after an composer update. It also went away as fast as it came. Could it be a cookie or browser cache reset
https://github.com/yiisoft/yii2/blob/master/framework/UPGRADE.md
Please update your main layout file by adding this line in the section: . This change is needed because yii\web\View no longer automatically generates CSRF meta tags due to issue #3358 .
Yes, I had to do it on a previous update and it worked until now. I've even cloned a fresh copy of the latest advanced app and the same thing happens.
looks like you have to clear your cookies from the browser. your data looks like the cookie CSRF tag has been generated by an old version of Secuitry class.
Deleted the cookies, tried incognito window, other browser. Still the same.
okay, this is weird. Have you tried with the basic app contact form? Or which form did you use to reproduce it?
Frontend signup, login, backend login and contact - neither works.
Shouldn't it fail automated testing for issues like this?
It seems $this->getCookies()->getValue($this->csrfParam) in request is returning null, as if the cookies aren't passing yii's validation. They are present in raw $_COOKIE .
I am unable to reproduce it with neither basic nor advanced application here...
@mbman Will you be able to set a breakpoint in Security::validateData() and see why the validation fails? Or could you please paste your cookie value and the cookie validation key?
The issue seems to be storing binary data in cookie as @qiangxue noted .
In order to fix it we need to convert binary hash to string and then convert it back when reading. I think base64_encode and base64_decode should be OK for it.
Here you go:
'cookieValidationKey' => 'hl-1nd93H281efs',
I'll set the breakpoint and send the cookie data ASAP
$_COOKIE value at the breakpoint @samdark suggested:
key is sfjBvtU7vXsWLsiGfkHY75mIYsqLwATl
Your cookie is valid. Is your problem the same as @mbman 's?
pretty sure it is
I suppose that problem is not with code, problem is os-specific
I'm getting error on FPM PHP 5.4.4-14+deb7u12 (cli) (built: Jun 30 2014 18:42:58)
and dont on PHP Version 5.4.26 on windows
Updated the code to latest version, cleared cookies and the problem is still there.
Csrf values:
mb_substr with null length parameter return empty string
security.php in validateData function
$pureData always is empty string
@onepeopleprojects why length is 0?
Just merged another fix. Is it better now?
this patch also fixes a Codeception issue:
@dynasource are the issues mentioned in our or codeception trackers? If so, would you please give links so I'll close these?
none. It was an observation yesterday. I knew about this topic, so a composer update was worth a try (and it was). I just wanted to mention it for people searching.
I am suddenly getting the "Unable to verify your data submission" on a $.ajax() call that was working fine. I haven't changed the config or the $.ajax() call. I just ran a "composer update", and I cleared the cookies in my browser. If I set enableCsrfValidation to FALSE it works fine. I'm just getting my feet wet with Yii2 and composer. Thanks in advance for any suggestions on how to diagnose this.
I am getting the same error on a fresh update... need to check.
UPDATE: Confirm that the error occurs on the new update for ajax/post submissions. If I revert back my yiisoft/yii2 to older version it works.
Have same problem. Reinstall project but ajax-requests still returns 400 error
@MEGApixel23 do you send the _csrf token in the ajax request?
@mbman no, but it works on previous Yii2 version. I tried to send _csrf token and it works. So what I must rewrite all my ajax requests in whole project? May be there is another solution?
@MEGApixel23 just disable csrf validation in your ajax controller
Still happens on version 2.0.2. The cookie is not created on first request. I have a workaround: Extend View::endPage():
@gorellnet please open a new issue if there is a problem, this one is already closed for 2.0rc
Successfully merging a pull request may close this issue.
https://github.com/yiisoft/yii2/issues/16295
https://github.com/yiisoft/yii2/issues/4497
Namjin Moans
Her Private Life Izle
Group Wife Creampie
Unable to verify your data submission · Issue #16295 ...
Bad Request (#400) - Unable to verify your data …
Unable to verify your data submission · Issue #8767 ...
Unable to verify your data submission exception …
yii2出现Unable to verify your data submission错 …
yii2 - How to solve Bad Request (#400) Unable to …
Unable to verify your data submission . · Issue …
yii2 Ошибка Bad Request (#400): Unable to verify …
Unable To Verify Your Data Submission
