Anonymous | Login | 2024-12-22 00:11 MST |
Main | My View | View Issues | Change Log | Roadmap | Repositories |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0001224 | ClearOS | clearos-framework | public | 2013-07-11 10:31 | 2013-08-21 21:10 | ||||
Reporter | bchambers | ||||||||
Assigned To | bchambers | ||||||||
Priority | normal | Severity | minor | Reproducibility | always | ||||
Status | closed | Resolution | fixed | ||||||
Platform | OS | OS Version | |||||||
Product Version | 6.4.0 | ||||||||
Target Version | 6.5.0 Beta 1 | Fixed in Version | 6.5.0 Beta 1 | ||||||
Summary | 0001224: CSRF fails if server time is off by more than -2 hours | ||||||||
Description | In some browsers (Chrome on Linux), the csrf cookie is not set if the server time is off. Specifically, if the server clock is off by more than the value set in /usr/clearos/framework/applications/config/config.php's value of $config['csrf_expire'] setting, the cookie fails to be created on the client and forms do not pass the CSRF protection (including login). | ||||||||
Steps To Reproduce | Set your system clock to -2 hours or more before current time and attempt webconfig login. | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | |||||||||
Notes | |
(0000923) bchambers (administrator) 2013-07-11 11:18 |
On login, you will see: An Error Was Encountered The action you have requested is not allowed. |
(0000924) bchambers (administrator) 2013-07-11 11:21 |
Not sure how to get around this... Since it will stop users at the login page, perhaps send Unix timestamp of server to compare in javascript with desktop's timestamp and display warning if server is older by two hours or more. |
(0000925) bchambers (administrator) 2013-07-11 11:31 |
To solve this issue, correct the internal clock time on your server (or desktop). In ClearOS, run: timesync To connect to remote NTP servers to update clock. |
(0000935) bchambers (administrator) 2013-07-17 11:45 |
Source Code Changelog --------------------------------------------------- - Override security class to make CSRF token session based [fixed tracker 0001224] File Changes --------------------------------------------------- Details: http://code.clearfoundation.com/svn/revision.php?repname=ClearOS&rev=6226 [^] U webconfig/framework/trunk/application/config/config.php A webconfig/framework/trunk/application/core/MY_Security.php |
Issue History | |||
Date Modified | Username | Field | Change |
2013-07-11 10:31 | bchambers | New Issue | |
2013-07-11 10:31 | bchambers | Status | new => assigned |
2013-07-11 10:31 | bchambers | Assigned To | => bchambers |
2013-07-11 11:18 | bchambers | Note Added: 0000923 | |
2013-07-11 11:21 | bchambers | Note Added: 0000924 | |
2013-07-11 11:31 | bchambers | Note Added: 0000925 | |
2013-07-17 11:45 | bchambers | Checkin | |
2013-07-17 11:45 | bchambers | Note Added: 0000935 | |
2013-07-17 11:45 | bchambers | Status | assigned => resolved |
2013-07-17 11:45 | bchambers | Resolution | open => fixed |
2013-08-19 11:42 | user2 | Fixed in Version | => 6.5.0 Beta 1 |
2013-08-19 11:42 | user2 | Target Version | 6.4.0 Updates => 6.5.0 Beta 1 |
2013-08-21 21:10 | user2 | Status | resolved => closed |