I'm having a problem with CSRF component since I've updated to the last 3.0.4 CakePHP version yesterday. Looks like there is a security fix for previous versions so I decided to upgrade as soon as possibile, but since then I'm having this error when I try to login into my app:
Invalid CSRF token.
Strangely enough, I have seen a funny behavior while trying to figure out what is happening:
1) I went to my AppController.php, set the secure option to Csrf component to false, then I login -> it works
2) Set that option to true and login again -> it works
3) In (chrome) incognito mode, try to login from there -> it fails (invalid CSRF token)
4) After the incognito failure, try to login again from -not incognito mode- -> it works
Looking at the documentation I thought that enabling it and using the standard Form helper would be enough... do I need something else? Everything was working correctly with the 3.0.2 version I was using before.
The secure flag in t Csrf component means that the cookie will only be set if using a https (secure) connection. If the form is not generated and submitted over https, then it will block the attempt
Related
I am having issue with Guacamole server where I cannot logout of the web session once I am logged in. We use Keycloak for identity management and Guacamole server for RDP sessions. The versions on both application is fairly latest but had this issue for long time since the inception. Search google but unable to find any fix however there are people who already experienced similar issue. Apart from logout issue everything functions without any issue. Couple of errors I can see on the browser is shown below:
RROR on browser:
{
"message":"Session not associated with authentication provider \"openid\".",
"translatableMessage":{
"key":"APP.TEXT_UNTRANSLATED",
"variables":{
"MESSAGE":"Session not associated with authentication provider \"openid\"."
}
},
"statusCode":null,
"expected":null,
"type":"NOT_FOUND"
}
I think, I have found what is the reason for not working Guacamole logout - it is Keycloak SSO. It uses cookies for keeping users logged in.
What you need to do:
Go to the realm -> Authentication -> Flows -> Choose the flow you use from the drop-down list, usualy it is "brwoser" or clone of it -> Authentication type "Cookies" set to Disabled.
If you need to keep SSO - limit time in the Realm settings.
Try now.
I am using facebook SDK. I am getting the following error:
Insecure Login Blocked: You can't get an access token or log in to this app from an insecure page. Try re-loading the page as https://
After studying I came to know that I have to set 'Enforce HTTPS' as NO under 'facebook login> Setting> '. But I can not set Enforce HTTPS as NO. Is this problem is from mine? OR I facebook restrict to use https instead of http?
enable Client OAuth Login and write "localhost:3000" in Valid OAuth Redirect URIs.
Save changes. it will automatically change to https://localhost:3000 , but it doesn't matter...
And set Status: In Development (THIS IS IMPORTANT!)
Then it will work in your http localhost.
But I can not set Enforce HTTPS as NO. Is this problem is from mine?
https://developers.facebook.com/docs/facebook-login/security:
Enforce HTTPS. This setting requires HTTPS for OAuth Redirects and pages getting access tokens with the JavaScript SDK. All new apps created as of March 2018 have this setting on by default and you should plan to migrate any existing apps to use only HTTPS URLs by March 2019.
Sounds to me, like they don’t want you to be able to even start without HTTPS, when you are creating a new app now.
Plus, Chrome has recently announced that they will mark all HTTP sites as insecure soon, from version 68 on, that will be released in July 2018. So you’re gonna have to go HTTPS rather sooner than later anyway.
The “big players” of the industry are currently pushing for this big time, whether we want it or not.
If you just enable Client OAuth Login and write just localhost:{port} to Valid OAuth Redirect URIs, it will work.
If you're developing locally with create-react-app, a quick solution is to add
HTTPS=true
to your .env file and just comment it out when you're not testing Facebook login.
It seems like Business apps do not have app modes and instead rely exclusively on access levels. Because of this, you can't set the app to the "Development mode".
All newly created apps start out in Development mode and you should avoid changing it until you have completed all development and testing.
https://developers.facebook.com/docs/development/build-and-test/
https://developers.facebook.com/docs/development/build-and-test/app-modes
However, if you wanna try out your app in a localhost, you need to create a test app, like you can check out in this thread:
How to fix 'Facebook has detected MyApp isn't using a secure connection to transfer information.' error in Laravel
I am analyzing code. It is a Wicket application using WebSphere form based authentication.
The program has the ibm_security_logout form mechanism implemented.
When being logged in, I copy the current URL to the clipboard.
When logging out using the form, I seem to be logged out. However, when using the copied URL, I am back in the GUI, being logged in.
So the session is still valid? How can I make sure I am actually logged out, and redirected to the login page when using 'old' URLs?
Thanks!
Check that security is enabled for applications in admin console, menu Security > Global security, checkbox "Application security".
Check that there is no security interceptor in menu Security > Global Security > Trust association > Interceptor
Connect to your application using Chrome or Firefox and open "developer tools" panel. Check what happens when you click on logout:
in network tab, browser should send GET request to ibm_security_logout url
in Websphere answer, there should be header Set-Cookie:LtpaToken2="" which should remove LtapToken2. LtpaToken2 is basically session cookie for Websphere.
Look at your cookies using developer tools. LtpaToken2 should not be there anymore.
If step 1 is not OK: your client application logout button is not properly implemented.
If step 2 is not OK: there should be an error in Websphere log file.
If step 3 is not OK (very unlikely): there might cross-domain error, meaning the cookie was set for another domain name.
I'm using the extended accounts package 'accounts-facebook'. When I run my application locally, the login authentication procedure works after adding 'http://localhost:3000/_oauth/facebook?close' under Valid OAuth redirect URIs.
After deploying the application however, the login pop-up gives no error, but remains blank without completing the authentication procedure. I've tried adding 'http://www.algoloom.com/_oauth/facebook?close' and loads of possible variations to this, as some other forum discussions suggest, but the login procedure is never completed.
While I was testing my application in its deployed version, I managed to get Facebook login working by changing its ROOT_URL to 'http://www.algoloom.com:3010', in combination with 'http://www.algoloom.com:3010/_oauth/facebook?close' as a redirect URI. Now that I've set nginx to redirect to port 3010 by default, the 3010 disappears from the main website URL. As a result I've also set my ROOT_URL to 'http://www.algoloom.com'. This works fine for any other website functionality, but I can't seem to fix my my issues with Facebook login.
Any ideas on how to solve this?
I'm developing a website that is going to use Facebook authentication.
I'm using GWT and it works fine when I run the code compiled, but when I'm running the development it does not work.
The problem is when I'm trying to retrieve the access_token from Facebook.
I'm receiving the error below:
"error":{"message":"Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request","type":"OAuthException","code":100}"
Obviously, the redirect_uri is identical as the login url one.
I found out (by this topic) that the problem is the last part of the url "?gwt.codesvr=127.0.0.1:9997".
How can I solve this? or how can I manage to use the GWT development mode with this problem?
Thanks,
Normally this is due to the url verification FB does.
When you register a new app in FB you have to configure the set of domains (App Domains) authorized to use the FB login form.
Unfortunately you cannot set 127.0.0.1 nor localhost as a valid domain, so you cannot use GWT dev-mode unless you configure a hostname in your domain pointing to your localhost.
If you set mydomain.com as a valid App Domain in your FB application, configure localhost.mydomain.com pointing to 127.0.0.1 in your local hosts file or in your DNS server. Then use http://localhost.mydomain.com:8888/myapp.html?gwt.codesvr=localhost.mydomain.com:9997 to run dev mode in your browser.
I found out the problem.
By encoding only the gwt.codesvr value it works.
However, using php urlencode function on it did not work, I had to encode it myself.
The gwt dev param ended like this "?gwt.codesvr=127.0.0.1%3A9997"