cakephp: Missing CSRF token body
- CakePHP Version: v4.0.7 .
- Platform and Target: ubuntu (localhost - .local), mysql.
Log
2020-05-06 03:43:01 Error: [Cake\Http\Exception\InvalidCsrfTokenException] Missing CSRF token body in /home/sites/my_devices/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php on line 275 Stack Trace:
- /home/sites/my_devices/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php:134
- /home/sites/my_devices/vendor/cakephp/cakephp/src/Http/Runner.php:73
- /home/sites/my_devices/vendor/cakephp/cakephp/src/Http/Runner.php:77
- /home/sites/my_devices/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php:138
- /home/sites/my_devices/vendor/cakephp/cakephp/src/Http/Runner.php:73
- /home/sites/my_devices/vendor/cakephp/cakephp/src/Http/Runner.php:58
- /home/sites/my_devices/vendor/cakephp/cakephp/src/Routing/Middleware/RoutingMiddleware.php:162
- /home/sites/my_devices/vendor/cakephp/cakephp/src/Http/Runner.php:73
- /home/sites/my_devices/vendor/cakephp/cakephp/src/Routing/Middleware/AssetMiddleware.php:68
- /home/sites/my_devices/vendor/cakephp/cakephp/src/Http/Runner.php:73
- /home/sites/my_devices/vendor/cakephp/cakephp/src/Error/Middleware/ErrorHandlerMiddleware.php:119
- /home/sites/my_devices/vendor/cakephp/cakephp/src/Http/Runner.php:73
- /home/sites/my_devices/vendor/cakephp/debug_kit/src/Middleware/DebugKitMiddleware.php:60
- /home/sites/my_devices/vendor/cakephp/cakephp/src/Http/Runner.php:73
- /home/sites/my_devices/vendor/cakephp/cakephp/src/Http/Runner.php:58
- /home/sites/my_devices/vendor/cakephp/cakephp/src/Http/Server.php:90
- /home/sites/my_devices/webroot/index.php:40
Request URL: /users/login?redirect=%2Fusers%2Fadd Referer URL: http://iarcas_devices.local/users/login?redirect=%2Fusers%2Fadd Client IP: 127.0.0.1
Debug $request->getHeaderLine(‘X-CSRF-Token’)
/…/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php on line 270
debug($request->getHeaderLine('X-CSRF-Token'));
return:
/src/Http/Middleware/CsrfProtectionMiddleware.php (line 269)
''
Debug $request->getHeaders();
/src/Http/Middleware/CsrfProtectionMiddleware.php (line 269)
[
'Host' => [
(int) 0 => 'iarcas_devices.local'
],
'Connection' => [
(int) 0 => 'keep-alive'
],
'Content-Length' => [
(int) 0 => '359'
],
'Cache-Control' => [
(int) 0 => 'max-age=0'
],
'Upgrade-Insecure-Requests' => [
(int) 0 => '1'
],
'User-Agent' => [
(int) 0 => 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) snap Chromium/81.0.4044.129 Chrome/81.0.4044.129 Safari/537.36'
],
'Origin' => [
(int) 0 => 'http://iarcas_devices.local'
],
'Content-Type' => [
(int) 0 => 'application/x-www-form-urlencoded'
],
'Accept' => [
(int) 0 => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
],
'Referer' => [
(int) 0 => 'http://iarcas_devices.local/users/login?redirect=%2Fusers%2Fadd'
],
'Accept-Encoding' => [
(int) 0 => 'gzip, deflate'
],
'Accept-Language' => [
(int) 0 => 'pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7'
],
'Cookie' => [
(int) 0 => 'csrfToken=4bd592fd984ea9b23efa736ede4388e021d0aef73c8ba5245516d1d0; PHPSESSID=lncnr062pk14b12r0som1f3mp6'
]
]
Template ~/login.php
<div class="users form">
<form method="post" accept-charset="utf-8" action="/users/login?redirect=%2Fusers%2Fadd"><div style="display:none;"><input type="hidden" name="_csrfToken" autocomplete="off" value="4bd592fd984ea9b23efa736ede4388e021d0aef73c8ba5245516d1d0"/></div>
...
<div style="display:none;"><input type="hidden" name="_Token[fields]" autocomplete="off" value="fc23599c3dea644f7d973005a8edcf0e34ad92cb%3A"/><input type="hidden" name="_Token[unlocked]" autocomplete="off" value=""/><input type="hidden" name="_Token[debug]" autocomplete="off" value="%5B%22%5C%2Fusers%5C%2Flogin%3Fredirect%3D%252Fusers%252Fadd%22%2C%5B%22email%22%2C%22password%22%5D%2C%5B%5D%5D"/></div></form>
$header empty
270 $header = $request->getHeaderLine('X-CSRF-Token');
271 if (hash_equals($header, $cookie)) {
272 return;
273 }
274
275 throw new InvalidCsrfTokenException(__d('cake', 'Missing CSRF token body'));
__
Hello, I’m using CakePHP v4.0.7, I got this error (Missing CSRF token body) I’m trying to use Login cakephp-tinyauth, but after going through the form I get the error, from line 275 of the file /vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php
I’snt was able to verify the return that the getHeaderLine (‘X-CSRF-Token’) try find, on line 270. And not exist X-CSRF-Token in $ request-> getHeaders ().
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 24 (12 by maintainers)
The form only sends
email: ***** password: *****, but no_csrfToken.How do you generate form? Do you use form helper
$this->Form->create()or just added<form>directly?Didnt we add an exception in 4.1.1 to detect the token being applied twice? Yes, here are the notes:
https://bakery.cakephp.org/2020/07/18/cakephp_411_released.html
Does
$body['_csrfToken']value matches value ofcsrfTokencookie?You are using form so
$request->getHeaderLine('X-CSRF-Token')is expected to be empty.But few lines above it, variable
$bodyshould contain form data. Does$bodycontains_csrfTokenkey? Does it’s value matches value ofcsrfTokencookie?Did you create your form with
$this->Form->create()? If not your form will be missing thecsrfTokenPOST parameter and since it does not contain a header or POST parameter it will fail CSRF token validation.