Unable To Verify Your Data Submission
🔞 ALL INFORMATION CLICK HERE 👈🏻👈🏻👈🏻
Unable To Verify Your Data Submission
By Plan
Enterprise
Teams
Compare all
By Solution
CI/CD & Automation
DevOps
DevSecOps
Case Studies
Customer Stories
Resources
In this repository
All GitHub
↵
In this repository
All GitHub
↵
In this organization
All GitHub
↵
In this repository
All GitHub
↵
Code
Issues
Pull requests
Discussions
Actions
Wiki
Security
Insights
cluwong opened this issue
May 18, 2018
· 25 comments
cluwong opened this issue
May 18, 2018
· 25 comments
samdark
added
the
status:need more info
label
May 20, 2018
// layouts/main.php
$ js = <<< JS
(function() {
var send = XMLHttpRequest.prototype.send,
token = document.getElementsByTagName('meta')['csrf-token'].content;
XMLHttpRequest.prototype.send = function() {
this.setRequestHeader('X-CSRF-Token', token);
return send.apply(this, arguments);
};
}());
JS ;
$ this -> register ( $ js , \yii\web\ View :: POS_HEAD );
samdark
added
the
type:bug
Bug
label
Jun 17, 2018
samdark
added this to the 2.0.17 milestone
Jun 17, 2018
samdark
removed
the
status:need more info
label
Jun 17, 2018
'user' => [
'class' => 'common\components\SsoUser',
'identityClass' => 'common\models\User',
'enableAutoLogin' => true,
'enableSession' => true,
'identityCookie' => [
'name' => '_identity',
'httpOnly' => true,
'domain' => '.xxxx.com',
],
],
'session' => [
'name' => 'session-frontend',
'cookieParams' => [
'domain' => '.xxxx.com',
'httpOnly' => true,
],
],
👍
1
freshp reacted with thumbs up emoji
All reactions
👍
1 reaction
samdark
removed this from the 2.0.17 milestone
Mar 20, 2019
samdark
mentioned this issue
Sep 24, 2020
samdark
mentioned this issue
Feb 12, 2021
Sign up for free
to join this conversation on GitHub .
Already have an account?
Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session.
You signed out in another tab or window. Reload to refresh your session.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement . We’ll occasionally send you account related emails.
Already on GitHub?
Sign in
to your account
Posting a form or post a link where data-method="POST"
yii\web\BadRequestHttpException: Unable to verify your data submission. in /var/www/my.uhub.biz/vendor/yiisoft/yii2/web/Controller.php:166
Not sure if this is related to a previously submitted issue ( #15783 ) or it's new. Since that issue was fixed and the project was updated to V2.0.15.1, I still get this error sometimes. The problem is it's not always reproducible and it's hard to pinpoint the problem.
I have checked data in cookies, sesseions and post and can't spot anything. Let me know if you need more info or what else to check.
The text was updated successfully, but these errors were encountered:
The csrf token is different for the environments, could you confirm that the csrf cookie is not shared between those domains?
The csrf cookie is not shared. It's stored in the subdomain.
You share sessions right? Could it be that one site is updating the csrf in the session, thereby invalidating the value for the other domain? (I don't remember if csrf uses the session)
Thanks for posting in our issue tracker.
In order to properly assist you, we need additional information:
This is an automated comment, triggered by adding the label status:need more info .
I went back to V2.0.13.3 and tested, I don't see this problem - don't get the random 'Unable to verify your data submission error', and tested switched between posting data in dev and prod site, no problem.
V2.0.14.2 and V2.0.15.1 gets random error. Switching site also gets the error.
The switch site problem can be reproduced: simply display a form with single field, and post the form. Then go to the other site and go to the same form, you get the error, then reload the form and post again, the data is posted (only quite rarely the form can't be posted.)
But for the random problem that happens within the same site, it's very random, sometimes the the form can't be post no matter how many time you reload it, then suddenly it's posted.
I have compare session and cookies for V2.0.15 and V2.0.13 but can't spot what's wrong, unless it's hidden behind the random generated strings.
If more info required, can you point me towards the right direction what to look for?
It seems the previous ticket ( #15783 ) is not entirely fixed. There must be some change to V2.0.14 causing this.
Do you know what's the reason of Unable to verify your data submission somehow via debugging?
I am experiencing similar issue which occurs right after I logout and instantly try to login back - I also get Unbale to verify submission data . It seems that cookie CSRF token won't get refreshed after user identity reneval, but I have to investigate more to confirm.
Not sure if it is related... I find that this issue occurs for AJAX Requests on latest jQuery releases like 3.2.x. Probably the $.ajaxPrefilter used by yii.js does not seem to be executed properly - as the X-CSRF-TOKEN does not seem to be passed with the ajax request headers.
I included this JS hack (without any jquery dependency) on my main layout view file to get the ajax requests properly send the X-CSRF-TOKEN and avoid the 400 submission error.
I think I've found the root of the problem but don't know how to fix it.
Since V2.0.14, csrf token is regenerated in login() function, hence I'm getting this problem since this version.
As mentioned both are in subdomain and uses SSO login. When site A is loaded, the identity cookie for Site B is lost (it's still in $_COOKIE but not in Yii::$app->request->cookies) and vice versa - hence it tries to login again and got a new csrf token, which results in 'Unable to verify your data submission' error when posting the data.
In this particular test scenario, one site is dev and one site is prod hence the configs are the same.
In SsoUser.php, which extends yii\web\User, I have extended login() and set the default duration to 3600. How come the cookie didn't persist but lost? Is it a bug or something wrong with my config?
How come the cookie didn't persist but lost?
Session cookie is meant to expire. You need "remember me" in order to keep logged in state. Chrome does weird things with persisting cookies but it's even against RFCs. But that's not your case.
When site A is loaded, the identity cookie for Site B is lost (it's still in $_COOKIE but not in Yii::$app->request->cookies) and vice versa
That means that A uses same cookie name as B and overwrites it. You need to separate these cookies via config.
Isn't setting the duration in login() = remember me?
I have a different Yii2 project under different subdomain, with different cookie names is causing the same issue.
I did a test on my dev and prod site. Display a page which displays the content of Yii::$app->request->cookies. Changed cookie names for crsf, identity and session with suffiix '-dev' for the dev site.
Open chrome. Clear all cookies. Open a tab to the login site to login.
Open a new tab to go to dev site and to the cookies page. On first load, no identity cookie. On subsequent reloads, identity cookie is displayed.
Open another tab to go to prod site, display any pages.
Go back to the dev tab. Reload. Identity cookie is lost. Reload, it's back, and continue be there until I reload the page in prod tab.
Now they have different cookie names. Overwrite shouldn't happen here?
Facing same issue "Не удалось проверить переданные данные."
Althogh, in logs I can see, that both CSRF cookie and CSRF Header has been sent by user
I think that this may happen due to session expiration.
User's session is expired, he relogins on one page, but other page is cached in browser and contains old session data.
Then user have invalid csrf token on cached page
@cluwong no, it should not. That's super-weird. Am I right that these two website are totally not connected? Separate databases, separate domains (not sub-domains of same domain), separate session storage?
@samdark Would it not be better to revert the commit which caused these issues (csrf token is regenerated in login() function), until better solution found? Already confirmed by multiple users ...
Sorry my bad. I forgot to run the console command to apply the changes and wasn't paying attention to the cookie names. Identity cookie persists when switching between sites when they have different names.
I thought with SSO, by setting the domain, the cookie is available for all subdomains, hence the same cookie name was used so they have the same identity info shared by the subdomains.
So with cookie names, should all 3 cookies have different names? (Although my tests show that only identity cookie needs to be different to prevent this error). Will there be any adverse hidden effects if csrf and session cookies are the same?
Perhaps docs should also be updated about different cookie names too.
If you want no interference — yes. They all should have different names. You may want these to have same cookies if your intent is to be authenticated at subdomains automatically.
I think that this may happen due to session expiration.
User's session is expired, he relogins on one page, but other page is cached in browser and contains old session data.
Then user have invalid csrf token on cached page
I confirm this type of problem. Typical scenario:
@DmLapin It's a side effect of fixing security issue .
Were able to reproduce his case as a user.
It's XMLHttpRequest on a particular page.
Welp, in my case, I was using PageCache which was caching a csrf value..
Oddly enough, I never experienced the problem on my end, with pages not cached by me.
Disabled the cache and waiting for more logs to confirm that I'm a 🤡
Unfortunately, your browser is too old to work on this site . Please upgrade your browser to view rich content, log in and reply.
I’m running a Yii2 (2.0.38) application on Microsoft Azure and seem to be getting a lot of :
[error][yii\web\HttpException:400] yii\web\BadRequestHttpException: Unable to verify your data submission. in D:\home\site\vendor\yiisoft\yii2\web\Controller.php:202
Stack trace:
#0 D:\home\site\vendor\mdmsoft\yii2-admin\controllers\UserController.php(51): yii\web\Controller->beforeAction(Object(yii\base\InlineAction))
#1 D:\home\site\vendor\yiisoft\yii2\base\Controller.php(178): mdm\admin\controllers\UserController->beforeAction(Object(yii\base\InlineAction))
#2 D:\home\site\vendor\yiisoft\yii2\base\Module.php(528): yii\base\Controller->runAction(‘login’, Array)
#3 D:\home\site\vendor\yiisoft\yii2\web\Application.php(103): yii\base\Module->runAction(‘admin/user/logi…’, Array)
#4 D:\home\site\vendor\yiisoft\yii2\base\Application.php(386): yii\web\Application->handleRequest(Object(yii\web\Request))
#5 D:\home\site\wwwroot\admin\index.php(17): yii\base\Application->run()
#6 {main}
errors. How can I go about troubleshooting this? Normally I find the culprit in the stack trace, but I’ll admit in this case, I don’t know what to do.
I have some problems with this and running on AWS.
My diagnosis is that this problem usually occurs to users who start to fill a form and let it unfinished opened for a long period of time (15min+) or some users with very slow internet.
I don’t think it is a Yii2-specific issue though, but don’t now how to tackle it and would be great to hear from others.
This is likely to do with CSRF Protection .
In order to prevent CSRF attacks all POST request must include a valid CSRF Token. if this token is not present or can not be verified, Yii will abort the request with the that error.
I don’t know exactly how long the tokens are valid but if users are waiting 15+ minutes before submitting a form, the most likely cause is expired tokens.
There are many possible causes of this issue, such as:
Your description is too vague to guess reason more precisely, just stack trace is not enough. Would be helpful to see some HTML/javascript which sends the request.
Powered by Discourse , best viewed with JavaScript enabled
Unfortunately, your browser is too old to work on this site . Please upgrade your browser to view rich content, log in and reply.
Sometimes when i login or logout i get this error “Unable to verify your data submission”. I have the advanced app setup both on a different sub-domain and have different cookieValidationKeys. Sometimes i can login fine but other times not. Disabling CsrfValidation works but i am sure this shouldn’t be the only way to fix the issue. It is the same on both live and production server.
It seems like a problem with cookies and sessions.
Do your front-end and back-end run on different domains? Or are you trying to run them on a shared hosting environment?
I’m having the exact same problem. Weird thing is my client is getting these errors whereas if I log in and do exactly the same thing they’re doing it all works fine. Frustrating because I can’t duplicate their error.
Sometimes when i login or logout i get this error “Unable to verify your data submission”. I have the advanced app setup both on a different sub-domain and have different cookieValidationKeys. Sometimes i can login fine but other times not. Disabling CsrfValidation works but i am sure this shouldn’t be the only way to fix the issue. It is the same on both live and production server.
I’m having the exact same problem. Weird thing is my client is getting these errors whereas if I log in and do exactly the same thing they’re doing it all works fine. Frustrating because I can’t duplicate their error.
@C Hodges, are you also using the yii2-advanced-app?
I would imagine it has something to do with either the session name or the cookie path.
@C Hodges, are you also using the yii2-advanced-app?
I would imagine it has something to do with either the session name or the cookie path.
Sorry for late reply guys! I haven’t received notifications for these posts. I am running on subdomains:
‘cookieValidationKey’ => ‘vDnre587vu-XAt_FOmc2K6qvwxxpa0Q0’,
Powered by Discourse , best viewed with JavaScript enabled
By Plan
Enterprise
Teams
Compare all
By Solution
CI/CD & Automation
DevOps
DevSecOps
Case Studies
Customer Stories
Resources
In this repository
All GitHub
↵
In this repository
All GitHub
↵
In this organization
All GitHub
↵
In this repository
All GitHub
↵
Code
Issues
Pull requests
Discussions
Actions
Wiki
Security
Insights
mbman opened this issue
Jul 28, 2014
· 49 comments
mbman opened this issue
Jul 28, 2014
· 49 comments
samdark
added
type:bug
labels
Jul 28, 2014
samdark
added this to the 2.0 RC milestone
Jul 28, 2014
cebe
closed this as completed
Jul 28, 2014
cebe
removed this from the 2.0 RC milestone
Jul 28, 2014
cebe
reopened this
Jul 28, 2014
cebe
added this to the 2.0 RC milestone
Jul 29, 2014
qiangxue
mentioned this issue
Jul 29, 2014
samdark
added
severity:important
and removed
status:to be verified
Tushy Double Penetration
Big Penis Porno
Tiny Girl Anal