Contrib.social

A user.logout doesn't work anymore with the CSRF token changes in issue 144538

Open on Drupal.org β†’
Created on 18 July 2024, about 2 months ago
Updated 25 July 2024, about 1 month ago

Problem/Motivation

The changes made in issue https://www.drupal.org/project/drupal/issues/144538 πŸ› User logout is vulnerable to CSRF Fixed do not work quite correctly.
When creating a logout link, the token parameter is always outdated. Even if it is changed from the default using $this->csrfToken->get('user/logout'), in $this->csrfToken->validate($request->query->get('token', '') , $path) we always get false because $seed = $this->sessionMetadata->getCsrfTokenSeed() constantly returns different values for every request ​​and at the time of checking the token from the link is already out of date. We always get a confirmation form to log out.

Steps to reproduce

Use the debugger to check for $seed values from CsrfAccessCheck->access (line 65) CsrfTokenGenerator->validate $seed from line 85 ​​on multiple page reloads. For example, it can be clicking the logout button on the main page.

πŸ› Bug report
Status

Active

Version

11.0 πŸ”₯

Component
User moduleΒ  β†’

Last updated 1 day ago

Created by

πŸ‡ΊπŸ‡¦Ukraine pifagor πŸ‡ΊπŸ‡¦ Rivne

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

  • Issue created by @pifagor
  • Comment about 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cilefen

    I don't understand whether this bug report is about Drupal Core unaltered or with custom code. If there is custom code, could you please share bug reproduction code?

    Have you have called \Drupal\Core\Routing\UrlGeneratorInterface::generateFromRoute with user.logout to generate the link?

  • Comment about 2 months ago β†’
    πŸ‡ΊπŸ‡¦Ukraine pifagor πŸ‡ΊπŸ‡¦ Rivne

    The custom code just preparing the link for logout.
    "Have you have called \Drupal\Core\Routing\UrlGeneratorInterface::generateFromRoute with user.logout" - yes, but as I wrote before, the token is regenerated constantly, and despite using generateFromRoute, it is constantly out of date in csrfToken->validate.

  • Comment about 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cilefen

    I am moving this to the development branch in case there is a merge request.

    Can you author a failing test for this?

  • Comment about 1 month ago β†’
    πŸ‡¬πŸ‡§United Kingdom catch

    @pifagor in what kind of context is the link being rendered? This sounds like a render caching issue.

    CSRF tokens are rendered via a placeholder/lazy builder

    (see 

       $placeholder_render_array = [
          '#lazy_builder' => ['route_processor_csrf:renderPlaceholderCsrfToken', [$path]],
        ];

    from RouteProcessorCsrf

    However, if the placeholder rendering itself gets cached somehow, or is used in a different context like e-mail, then you end up with invalid CSRF links.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024