Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#13045] - Invalid Token

?
avatar sajalaspl
sajalaspl
29 Nov 2016

It seems that there's an issue while Gzip Compression Enabled (Under Global Configuration) and System Cache Plugin (Page Caching) enabled together.

Steps to reproduce the issue

  1. Open Joomla login page (For ex: http://rajesh111.demojoomla.com:81/index.php/component/users/?view=login) in browser.

  2. Now, open the same page in another browser.

  3. If you view source both the pages, you'll notice that the same CSRF token is supplied in the form.

  4. Now, login in the first browser, you'll logged in, that's good.

  5. Now, try to login in the second browser, you'll get "Invalid Token" error.

Expected result

It should get logged in both the browsers.

Actual result

Invalid Token error in one of the browser.

System information (as much as possible)

PHP Built On Linux jm100.siteground.biz 2.6.32-642.6.2.el6.x86_64 #1 SMP Wed Oct 26 06:52:09 UTC 2016 x86_64
Database Version 5.5.39-36.0-log
Database Collation utf8_general_ci
Database Connection Collation utf8mb4_general_ci
PHP Version 5.6.28
Web Server Apache
WebServer to PHP Interface cgi-fcgi
Joomla! Version Joomla! 3.6.4 Stable [ Noether ] 21-October-2016 16:33 GMT
Joomla! Platform Version Joomla Platform 13.1.0 Stable [ Curiosity ] 24-Apr-2013 00:00 GMT
User Agent Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31

Additional comments

Votes

# of Users Experiencing Issue
1/1
Average Importance Score
5.00
avatar sajalaspl sajalaspl - open - 29 Nov 2016
avatar joomla-cms-bot joomla-cms-bot - change - 29 Nov 2016
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 29 Nov 2016
avatar sajalaspl sajalaspl - change - 29 Nov 2016
The description was changed
Labels Removed: ?
avatar sajalaspl sajalaspl - edited - 29 Nov 2016
avatar sajalaspl sajalaspl - change - 29 Nov 2016
The description was changed
avatar sajalaspl sajalaspl - edited - 29 Nov 2016
avatar sajalaspl sajalaspl - change - 29 Nov 2016
The description was changed
avatar sajalaspl sajalaspl - edited - 29 Nov 2016
avatar sajalaspl
sajalaspl - comment - 29 Nov 2016

I think the issue is that when gZip compression is enabled, the page cache is stored in compressed format. And during the rendering of that cached page, it's not able to replace the CSRF token properly since the data is stored in gZip format.

So, the solution could be something like this:

Filename: libraries/joomla/cache/cache.php
Method: getWorkarounds

....
....
                // The following code searches for a token in the cached page and replaces it with the proper token.
		if (isset($data['body']))
		{
			$token       = JSession::getFormToken();
			$search      = '#<input type="hidden" name="[0-9a-f]{32}" value="1" />#';
			$replacement = '<input type="hidden" name="' . $token . '" value="1" />';
			
			// Assuming that Gzip is enabled, Need to check dynamicall though :-)
			$cached_data = $data['body'];
			$uncompressed_data = gzdecode($cached_data);
			$processed_data = preg_replace($search, $replacement, $uncompressed_data);
			$data['body'] = gzencode($processed_data, 4, FORCE_GZIP);
                        
                        // NEED TO COMMENT OUT FOLLOWING LINE
			// $data['body'] = preg_replace($search, $replacement, $data['body']);
			$body         = $data['body'];
		}
....
....

Any thoughts?

avatar PhilETaylor
PhilETaylor - comment - 11 Dec 2016

This is nothing to do with gzip

This is expected behaviour.

Once a change of user authentication has occurred, the session should be regenerated for security, and this will force a token change.

This is by design.

avatar zero-24 zero-24 - close - 11 Dec 2016
avatar zero-24
zero-24 - comment - 11 Dec 2016

Closing than. Thanks @PhilETaylor

avatar zero-24 zero-24 - change - 11 Dec 2016
Status New Closed
Closed_Date 0000-00-00 00:00:00 2016-12-11 15:20:08
Closed_By zero-24
avatar zero-24 zero-24 - close - 11 Dec 2016
avatar sajalaspl
sajalaspl - comment - 12 Dec 2016

@PhilETaylor Thanks for your reply.

Yes, I understand once user is logged in, the particular token associated with that session is expired. But, the issue (as per my understanding, please correct me If I'm wrong) is that when you open login page in two "different" browsers (IE and FF for example), both should serve different tokens at first place considering that they both are different sessions although accessed from the same PC.

But the same scenario works when gzip is disabled. I mean, when gzip is disabled, and I open login page in two different browsers it serves me different token.

Any ideas, why that is so?

avatar PhilETaylor
PhilETaylor - comment - 12 Dec 2016

My previous comments were on the basis of two tabs in the same browser - I stand by those in that context.

I see you edited your reply, so I have now investigated with two different browsers

I cannot replicate your problem with a Firefox and a Chrome browser, with or without gzip enabled.

All I see is the expected behaviour. I can login with both browsers in independent sessions with no token issues.

avatar sajalaspl
sajalaspl - comment - 12 Dec 2016

@PhilETaylor Ok thanks.

Add a Comment

Login with GitHub to post a comment