[IE11 BUG ?] CSRF and IE11 (Internet Explorer 11) issue #733
Comments
|
Hey @sidopufn , I just tried this and created a new account with a totally new user and a totally fresh email adress inside IE11, the confirmed the account creating by clicking the link from the confirmation mail, which leads to the confirmation page that shows a go-to-homepage link. Clicking the links goes to login page, and signing in with the username / password successfully logs in. I've just done this on a Windows 7 with latest IE11 (all current Windows 7 updates were made). Can you reproduce this on another PC, with a totally fresh account ? |
|
It turns out this was not a CSRF issue. I have this system running on a subdomain. It appears ie11 is very specific regarding session cookie domains. Adding a leading period to the / resulting in ./ in the config cookie location appears to have resolved the issue. No browser I tested had this issue other than ie11. Also, this issue was intermittent on ie11 machines. I will follow up if anything changes re this fix. Very frustrating 24 hours trying to figure this out. |
|
Thanks, I've added this problem and the solution to the troubleshooting section of the Readme! |
|
Following up on this ./ issue and ie, I initially though it was only an issue if the system was installed on a subdomain. But, it turns out the issue is also occurs if the system is installed on a root domain. Perhaps the default should be "./" in COOKIE DOMAINS to reslove this issue? |
|
Can you please give moredetails ? I could not reproduce this on the live demo in IE11. |
|
It is an issue that I have appearing only in ie - now not just ie11 - and only when I have the missing period missing before the / in the COOKIE DOMAINS setting. Also, it is intermittent on machines with ie, and always clears when all cookies are cleared and the browser is restarted. On a subdomain, I did two rounds of load testing with 50+ concurrent users. In the first round half the ie users had the problem. After the second round after adding ./ zero users had the problem. I then moved the domain to a root domain and removed the leading period, and the problem came back just as before on two test machines using ie11. So, I have re-added the leading period and it appears to have resolved the issue. What happens is after a user logs in, the user is immediately redirected to the post-login page, as if logged in, and as always redirected to that page no matter what logged-in-user page the user attempts to navigate to. Because adding the leading period appears to resolved the issue, and because this issue only arises in ie, I have stopped trying to find the root cause of the issue and have decided to just move forward with this solution appearing to be a validated workaround. I hope this explanation is helpful. |
|
I've just pushed a little notice into the configs and linked this to https://stackoverflow.com/questions/2285010/php-setcookie-domain |
There appears to be a CSRF issue at login with ie11. To duplicate the issue, try the following in the latest version of ie11:
(1) Create a new account
(2) Activate the new account
(3) Attempt to Sign In
On occasion, you will get a redirect to home logged out, I think due to CSRF rejection. I cannot replicate the issue in any browser other than ie11, even though this should not be a browser specific issue. Clearing the cache, closing ie, and restarting resolves the issue.
The text was updated successfully, but these errors were encountered: