yii2: CSRF fails if mbstring.encoding_translation set to On

What steps will reproduce the problem?

I config php.ini with information bellow:

[mbstring]
mbstring.language = Japanese
mbstring.internal_encoding = UTF-8
mbstring.encoding_translation = On

What is the expected result?

When I submit a form on website, I seen error

Error Bad Request (#400) Unable to verify your data submission

Additional info

Q A
Yii version 2.0.12
PHP version 7.0.20
Operating system Windows

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 23 (11 by maintainers)

Most upvoted comments

More specificly, hashed CSRF cookie data value $calculatedHash differs form its stored hash value $hash, so validation fails in yii\base\Security. As i checked, in my case it happens in updated version, in the previous version CSRF cookie data value differs from the updated one and data validation works as it should.

In log traces it looks like:

yii\base\Security::validateData

Validating CSRF cookie : d4ae7ff74b0168747e431594a507418878be92ecdb3d8b1514c4bb92556085e9a:2:{i:0;s:13:"_csrf-backend";i:1;s:32:"F??R???֌?q???g8??`?????|yn?";}

yii\base\Security::validateData

Cookie `$hash` value:
d4ae7ff74b0168747e431594a507418878be92ecdb3d8b1514c4bb92556085e9

yii\base\Security::validateData

Cookie `$pureData` value:
a:2:{i:0;s:13:"_csrf-backend";i:1;s:32:"F??R???֌?q???g8??`?????|yn?";}

yii\base\Security::validateData

CSRF cookie `$hash` value differs from calculated `hash_hmac($pureData)` value
d4ae7ff74b0168747e431594a507418878be92ecdb3d8b1514c4bb92556085e9 : 91ff93ed84df7a2a56067cf085ac3c6d53aba1f60ad99914d6dd85ea0df860c4
returns : false

yii\web\Request::loadCookies

The value for the `_csrf-backend` is not validated.
+2
Ghiya on Jun 22, 2017

should be fixed by #14590

+1
cebe on Aug 8, 2017
Read more comments on GitHub
← yii2: Console list command error while using undersore in action name
yii2: Database exception using DbSession →