Perhaps I am doing this wrong for php-fpm PHP 8. It seems to work otherwise on my local test server.
Server is Running Apache 2.4 and php-fpm v8.1.15
I have tried changing around the following bootstrap settings:
ini_set('session.use_only_cookies', '1'); // Avoid any PHP version to move sessions on URLs
ini_set('session.auto_start', '1'); // Prevent error to use session_start() if it's active in php.ini
ini_set('session.use_trans_sid', '0');
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.cookie_httponly', 'true');
ini_set('session.cookie_secure', $secureCookie);
ini_set('session.cookie_domain', $_SERVER['SERVER_NAME']);
ini_set('url_rewriter.tags', '');
Each Save or Refresh in PHP 8 I get the following:
var_dump($csrfToken); csrfToken : string(40) "be0749f416c90c5d779d55891703026dabeb7b89"
var_dump($currentToken); currentToken : string(40) "2cb299479ac8b1905a35cb72f4cf809408235243"
var_dump($_SESSION); Session : array(4) { ["lang"]=> string(2) "en" ["SESSION_TIMESTAMP"]=> int(1676371294) ["CURRENT_USER"]=> int(1) ["phpmyfaq_csrf_token"]=> string(40) "2cb299479ac8b1905a35cb72f4cf809408235243" }
This is how I am trying to work with the tokens:
if ($user->perm->hasPermission($user->getUserId(), 'editconfig')) {
// actions defined by url: user_action=
$userAction = Filter::filterInput(INPUT_GET, 'config_action', FILTER_UNSAFE_RAW, 'listConfig');
$csrfToken = Filter::filterInput(INPUT_POST, 'csrf', FILTER_UNSAFE_RAW);
$currentToken = $user->getCsrfTokenFromSession();
echo 'csrfToken : ';
var_dump($csrfToken);
echo '<br />';
echo 'currentToken : ';
var_dump($currentToken);
echo '<br />';
echo 'Session : ';
var_dump($_SESSION);
// Save the configuration
//if ('saveConfig' === $userAction && $currentToken === $csrfToken) {
# This code has a problem comparing the current token with the csrf token??
#
#
# I can get the editer config to work only by removing the above line!
if ('saveConfig' === $userAction) {
$checks = [
'filter' => FILTER_UNSAFE_RAW,
'flags' => FILTER_REQUIRE_ARRAY,
];
$editData = Filter::filterInputArray(INPUT_POST, ['edit' => $checks]);
$userAction = 'listConfig';
$oldConfigValues = $faqConfig->config;
// Set the new values
$forbiddenValues = ['{', '}', '$'];
$newConfigValues = [];
$escapeValues = [
'main.contactInformations',
'main.customPdfHeader',
'main.customPdfFooter',
'main.titleFAQ',
'main.metaKeywords'
];
// Special checks
if (isset($editData['edit']['main.enableMarkdownEditor'])) {
$editData['edit']['main.enableWysiwygEditor'] = false; // Disable WYSIWG editor if Markdown is enabled
}
foreach ($editData['edit'] as $key => $value) {
// Remove forbidden characters
$newConfigValues[$key] = str_replace($forbiddenValues, '', $value);
// Escape some values
if (isset($escapeValues[$key])) {
$newConfigValues[$key] = Strings::htmlspecialchars($value, ENT_QUOTES);
}
$keyArray = array_values(explode('.', $key));
$newConfigClass = array_shift($keyArray);
}
foreach ($oldConfigValues as $key => $value) {
$keyArray = array_values(explode('.', $key));
$oldConfigClass = array_shift($keyArray);
if (isset($newConfigValues[$key])) {
continue;
} else {
if ($oldConfigClass === $newConfigClass && $oldConfigValues[$key] === 'true') {
$newConfigValues[$key] = 'false';
} else {
$newConfigValues[$key] = $oldConfigValues[$key];
}
}
}
if (!is_null($editData)) {
$faqConfig->update($newConfigValues);
}
$faqConfig->getAll();
}
?>
<form id="config_list" name="config_list" method="post" action="?action=config&config_action=saveConfig">
<input type="hidden" name="csrf" value="<?= $currentToken ?>">
<div
class="d-flex justify-content-between flex-wrap flex-md-nowrap align-items-center pt-3 pb-2 mb-3 border-bottom">
<h1 class="h2">
<i aria-hidden="true" class="fa fa-wrench"></i>
<?= $PMF_LANG['ad_config_edit'] ?>
</h1>
<div class="btn-toolbar mb-2 mb-md-0">
<div class="btn-group mr-2">
<button class="btn btn-sm btn-warning" type="reset">
<?= $PMF_LANG['ad_config_reset'] ?>
</button>
<button class="btn btn-sm btn-success" type="submit">
<?= $PMF_LANG['ad_config_save'] ?>
</button>
</div>
</div>
</div>
<div class="row">
<div class="col-lg-12">
<ul class="nav nav-tabs" role="tablist">
<li role="presentation" class="nav-item">
<a href="#main" aria-controls="main" role="tab" data-toggle="tab" class="nav-link active">
<i aria-hidden="true" class="fa fa-home"></i>
<?= $PMF_LANG['mainControlCenter'] ?>
</a>
</li>
<li role="presentation" class="nav-item">
<a href="#records" aria-controls="records" role="tab" data-toggle="tab" class="nav-link">
<i aria-hidden="true" class="fa fa-th-list"></i>
<?= $PMF_LANG['recordsControlCenter'] ?>
</a>
</li>
<li role="presentation" class="nav-item">
<a href="#search" aria-controls="search" role="tab" data-toggle="tab" class="nav-link">
<i aria-hidden="true" class="fa fa-search"></i>
<?= $PMF_LANG['searchControlCenter'] ?>
</a>
</li>
<li role="presentation" class="nav-item">
<a href="#security" aria-controls="security" role="tab" data-toggle="tab" class="nav-link">
<i aria-hidden="true" class="fa fa-warning"></i>
<?= $PMF_LANG['securityControlCenter'] ?>
</a>
</li>
<li role="presentation" class="nav-item">
<a href="#spam" aria-controls="spam" role="tab" data-toggle="tab" class="nav-link">
<i aria-hidden="true" class="fa fa-thumbs-down"></i>
<?= $PMF_LANG['spamControlCenter'] ?>
</a>
</li>
<li role="presentation" class="nav-item">
<a href="#seo" aria-controls="seo" role="tab" data-toggle="tab" class="nav-link">
<i aria-hidden="true" class="fa fa-search"></i>
<?= $PMF_LANG['seoCenter'] ?>
</a>
</li>
<li role="presentation" class="nav-item">
<a href="#social" aria-controls="social" role="tab" data-toggle="tab" class="nav-link">
<i aria-hidden="true" class="fa fa-retweet"></i>
<?= $PMF_LANG['socialNetworksControlCenter'] ?>
</a>
</li>
<li role="presentation" class="nav-item">
<a href="#mail" aria-controls="mail" role="tab" data-toggle="tab" class="nav-link">
<i aria-hidden="true" class="fa fa-inbox"></i>
<?= $PMF_LANG['mailControlCenter'] ?>
</a>
</li>
<li role="presentation" class="nav-item">
<a href="#ldap" aria-controls="ldap" role="tab" data-toggle="tab" class="nav-link">
<i aria-hidden="true" class="fa fa-sitemap"></i>
<?= 'LDAP' ?>
</a>
</li>
<li role="presentation" class="nav-item">
<a href="#api" aria-controls="ldap" role="tab" data-toggle="tab" class="nav-link">
<i aria-hidden="true" class="fa fa-gears"></i>
<?= 'API' ?>
</a>
</li>
</ul>
<div class="tab-content p-2 pt-4 pmf-configuration-panel">
<div role="tabpanel" class="tab-pane fade show active" id="main"></div>
<div role="tabpanel" class="tab-pane fade" id="records"></div>
<div role="tabpanel" class="tab-pane fade" id="search"></div>
<div role="tabpanel" class="tab-pane fade" id="security"></div>
<div role="tabpanel" class="tab-pane fade" id="spam"></div>
<div role="tabpanel" class="tab-pane fade" id="seo"></div>
<div role="tabpanel" class="tab-pane fade" id="social"></div>
<div role="tabpanel" class="tab-pane fade" id="mail"></div>
<div role="tabpanel" class="tab-pane fade" id="ldap"></div>
<div role="tabpanel" class="tab-pane fade" id="api"></div>
</div>
</div>
</div>
</form>
<script src="assets/js/configuration.js"></script>
<?php
} else {
echo $PMF_LANG['err_NotAuth'];
}
I switched back and forth between PHP versions from 7 to 8 to 8.1.15
This works local on my test server but when I upload it to a remote production server, every refresh seems to affect my token comparison.
I made sure the session cookie domain was setup right.
