Invalid CSRF Token on 3.0.1

Hi,

We use wp_create_nonce() to generate our CSRF token. If you refresh the page (you shouldn’t need to relogin) does it fix the error?

It might be a caching issue but I don’t see how 2FA would affect this.

Thanks,
John

Refreshing does not fix the error. Cleared all browser caches, purged all site caches manually at the CF site, logged out of CF site, no change.

Doesn’t matter what setting I try to change — I get the CSRF Token not valid message. PHP is 5.3 (5.3.10-1ubuntu3.24), could that be the problem? I can try it on a site with PHP 7.

I don’t think the PHP version should matter here. Are there any errors in the error log? Its possible the WP Nonce is failing to generate for some reason.

I found one set of PHP errors in the log from a couple hours ago. Maybe it will help. It appears that the auth email addy is not arriving:

2016/09/16 16:02:11 [error] 14370#14370: *58 FastCGI sent in stderr: “PHP message: [CloudFlare] ERROR: [CLIENT API] Array
(
[type] => request
[method] => GET
[path] => zones/
[headers] => Array
(
[X-Auth-Key] =>
[X-Auth-Email] =>
[Content-Type] => application/json
)

[params] => Array
(
)

[body] => Array
(
[cfCSRFToken] =>
)

)

PHP message: [CloudFlare] ERROR: [CLIENT API] Array
(
[type] => response
[reason] => Forbidden
[code] => 403
[body] => Missing X-Auth-Email header
[stacktrace] => #0 /srv/www/65chero/public_html/wp-content/plugins/cloudflare/vendor/guzzle/guzzle/src/Guzzle/Http/Message/Request.php(145): Guzzle\Http\Exception\BadResponseException::factory(Object(Guzzle\Http\Message\Request), Object(Guzzle\Http\Message\Response))
#1 [internal function]: Guzzle\Http\Message\Request::onRequestError(Object(Guzzle\Common\Event), 'request.error', Object(Symfony\Component\EventDispatcher\EventDispatcher))
#2 /srv/www/65chero/public_html/wp-content/plugins/cloudflare/vendor/symfony/event-dispatcher/EventDispatcher.php(184): call_user_func(Array, Object(Guzzle\Common\Event), 'request.error', Object(Symfony\Component\EventDispatcher\EventDispatcher))
#3 /srv/www/65chero/public_html/wp-content/plugins/cloudflare/vendor/symfony/event-dispatcher/EventDispatcher.php(46): Symfony\Component\EventDispatcher\EventDispatc...
PHP message: [CloudFlare] ERROR: Missing X-Auth-Email header
PHP message: PHP Warning: Invalid argument supplied for foreach() in /srv/www/65chero/public_html/wp-content/plugins/cloudflare/src/WordPress/WordPressAPI.php on line 138" while reading response header from upstream, client: 108.162.219.248, server: https://www.65chero.com, request: "POST /wp-admin/admin-ajax.php?action=cloudflare_proxy HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "65chero.com", referrer: "https://65chero.com/wp-admin/options-general.php?page=cloudflare"

Maybe that will help you. I have a few dev plugs; if I knew what I was looking for perhaps I could find the trouble.

Lets make sure your csrfToken is being set correctly first.

Can you load the plugin settings page, open up development tools and type:
cfCSRFToken
It should return something like ‘”af759f760f”‘
This value comes from here.

If that works can you keep the browser dev tools open, toggle a setting and confirm you see cfCSRFToken in the request body?

Hoping I’ve done this correctly. In the console I wrote a bit of php

<?php
var_dump ( $cfCSRFToken );
?>

Out of this I get nothing but NULL. Which actually makes some sense from the log above this. Any ideas? or did I just prove that my php is about a good as my skills at brain surgery? I’m self-taught…

Oh sorry, I should have been more clear. Right now I want to check the javascript variable cfCSRFToken is being set correctly.

In Firefox after you’ve navigated to the plugin page:
1. Click “Tools” > “Web Developer” > “Web Console” from the file menu
2. In the Web Console type “cfCSRFToken” and see if it outputs something similar to what I referenced above.

In Chrome after you’ve navigated to the plugin page:
1. Click “View” > “Developer” > “Developer Tools” > “Console” tab
2. Type “cfCSRFToken” and see if it outputs something similar to what I referenced above.

Thanks,
John

Thanks for clarification.

Yup, I get “f33289b5e2”. So the token is there.

Dunno if it helps, but here’s the output just prior.

action @ 21:11:52.405 PLUGIN_SETTINGS_FETCH_SUCCESS
compiled.js:16363 When merging two 55a08c63de1e6bec63fe9193197aab61, found unequal data in their “id” values. Using the earlier value. 921d66affa2478612f14bf7ee2c30322 c46cd410c7887ca0315ae6b36e02384a
compiled.js:16363 When merging two 55a08c63de1e6bec63fe9193197aab61, found unequal data in their “type” values. Using the earlier value. A MX
compiled.js:16363 When merging two 55a08c63de1e6bec63fe9193197aab61, found unequal data in their “content” values. Using the earlier value. 108.174.63.162 mx.hover.com.cust.hostedemail.com
compiled.js:16363 When merging two 55a08c63de1e6bec63fe9193197aab61, found unequal data in their “proxiable” values. Using the earlier value. true false
compiled.js:16363 When merging two 55a08c63de1e6bec63fe9193197aab61, found unequal data in their “proxied” values. Using the earlier value. true false
compiled.js:16363 When merging two 55a08c63de1e6bec63fe9193197aab61, found unequal data in their “modified_on” values. Using the earlier value. 2016-04-13T15:16:52.403860Z 2016-04-13T15:16:52.438206Z
compiled.js:16363 When merging two 55a08c63de1e6bec63fe9193197aab61, found unequal data in their “created_on” values. Using the earlier value. 2016-04-13T15:16:52.403860Z 2016-04-13T15:16:52.438206Z
compiled.js:64362 action @ 21:11:52.597 DNS_RECORD_FETCH_LIST_SUCCESS
compiled.js:36236 Only a single Gateway can be rendered at a time into a GatewayDest.You rendered multiple into “modal”
compiled.js:64362 action @ 21:11:52.623 ZONE_FETCH_SETTINGS_SUCCESS
compiled.js:64362 action @ 21:11:52.676 ZONES_RAILGUNS_FETCH_ALL_SUCCESS
compiled.js:64362 action @ 21:11:53.513 ZONE_FETCH_ANALYTICS_SUCCESS
cfCSRFToken
“f33289b5e2”

• This reply was modified 8 years, 2 months ago by Steve Cunningham. Reason: added console output

Okay, thats good news. In the browser console there is a “Network” tab which will show all the AJAX requests. If you toggle a setting do you see the cfCSRFToken being passed in the request body for that request?

Thanks,
John

Sorry for the break… life is still in session.

Think I found something. When I click a button there’s a single ajax request, status 200, type xhr. When I expose the the request I see this:

{result: null, success: false, errors: [{code: “”, message: “CSRF Token not valid.”}], messages: []}
errors
:
[{code: “”, message: “CSRF Token not valid.”}]
0
:
{code: “”, message: “CSRF Token not valid.”}
code
:
“”
message
:
“CSRF Token not valid.”
messages
:
[]
result
:
null
success
:
false

So the token is getting lost or munged somewhere in there…

CF request response

Hey,

I need to see the request:

In “Request Payload” you should check to see if one of the variables being set is cfCSRFToken.

Thanks,
John

• This reply was modified 8 years, 2 months ago by jwineman.

Yes it is:

Request contents

Request URL:https://65chero.com/wp-admin/admin-ajax.php?action=cloudflare_proxy
Request Method:PATCH
Status Code:200
Remote Address:104.27.130.226:443
Response Headers
access-control-allow-credentials:true
access-control-allow-origin:https://65chero.com
cache-control:no-cache, must-revalidate, max-age=0
cf-ray:2e485745afa94722-EWR
content-encoding:gzip
content-type:application/json
date:Sun, 18 Sep 2016 22:47:39 GMT
expires:Wed, 11 Jan 1984 05:00:00 GMT
server:cloudflare-nginx
status:200
x-content-type-options:nosniff
x-frame-options:SAMEORIGIN
x-powered-by:PHP/5.3.10-1ubuntu3.24
x-robots-tag:noindex
Request Headers
:authority:65chero.com
:method:PATCH
:path:/wp-admin/admin-ajax.php?action=cloudflare_proxy
:scheme:https
accept:*/*
accept-encoding:gzip, deflate, sdch, br
accept-language:en-US,en;q=0.8
content-length:161
content-type:application/json
cookie:wordpress_310142781ea73d9d3e9aa09f8a7b34a4=synthman%7C1475119997%7CzFgZ5I8lpfKJPitpgQPJAX0BLSNniU539HHQ6Alh7jE%7Cd3f727dc2c72eb6eb645ae3d69af4d85a4831bf25921d782956c2e5426b015a1; wordpress_sec_655473845d827a39cf0bb85b02dc7121=synthman%7C1475261097%7CI37vuCZlRJOI4b32dBrjXsNQ3ROzR1oPjFraw9CKYX8%7Ce4f076c4b346837ae26157deaab9f033ced2556f0b6eea9af3adca12a80d2c98; wordpress_logged_in_310142781ea73d9d3e9aa09f8a7b34a4=synthman%7C1475119997%7CzFgZ5I8lpfKJPitpgQPJAX0BLSNniU539HHQ6Alh7jE%7Cea181a5e568b6109907bd01bd6c74442e7f7aad0de35a38eb922680b465bda27; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_655473845d827a39cf0bb85b02dc7121=synthman%7C1475261097%7CI37vuCZlRJOI4b32dBrjXsNQ3ROzR1oPjFraw9CKYX8%7C069a24bbc7405e68b08b994010c313109f5979370997dfafd706a56a6bca39f5; __cfduid=d4f8825d883e53e78f2cb9e90de7d2fc81474051498; wp-settings-3=editor%3Dtinymce%26mfold%3Do; wp-settings-time-3=1474064463
dnt:1
origin:https://65chero.com
referer:https://65chero.com/wp-admin/options-general.php?page=cloudflare
user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.113 Safari/537.36
Query String Parameters
view source
view URL encoded
action:cloudflare_proxy
Request Payload
view source
{value: “on”, cfCSRFToken: “8c4dbd1c4a”,…}
cfCSRFToken
:
“8c4dbd1c4a”
proxyURL
:
“https://partners.cloudflare/plugins/plugin/55a08c63de1e6bec63fe9193197aab61/settings/plugin_specific_cache&#8221;
value
:
“on”

• This reply was modified 8 years, 2 months ago by Steve Cunningham. Reason: add text for response

Is there anything else I can examine to help you understand what’s going wrong here? (yes, I understand you’re kinda busy now).

The request payload, as source:
{“value”:”on”,”cfCSRFToken”:”8c4dbd1c4a”,”proxyURL”:”https://partners.cloudflare/plugins/plugin/55a08c63de1e6bec63fe9193197aab61/settings/plugin_specific_cache&#8221;}

Response Headers
access-control-allow-credentials:true
access-control-allow-origin:https://65chero.com
cache-control:no-cache, must-revalidate, max-age=0
cf-ray:2e489fbabc514722-EWR
content-encoding:gzip
content-type:application/json
date:Sun, 18 Sep 2016 23:37:08 GMT
expires:Wed, 11 Jan 1984 05:00:00 GMT
server:cloudflare-nginx
status:200
x-content-type-options:nosniff
x-frame-options:SAMEORIGIN
x-powered-by:PHP/5.3.10-1ubuntu3.24
x-robots-tag:noindex

Request Headers
:authority:65chero.com
:method:PATCH
:path:/wp-admin/admin-ajax.php?action=cloudflare_proxy
:scheme:https
accept:*/*
accept-encoding:gzip, deflate, sdch, br
accept-language:en-US,en;q=0.8
content-length:161
content-type:application/json
cookie:wordpress_310142781ea73d9d3e9aa09f8a7b34a4=synthman%7C1475119997%7CzFgZ5I8lpfKJPitpgQPJAX0BLSNniU539HHQ6Alh7jE%7Cd3f727dc2c72eb6eb645ae3d69af4d85a4831bf25921d782956c2e5426b015a1; wordpress_sec_655473845d827a39cf0bb85b02dc7121=synthman%7C1475261097%7CI37vuCZlRJOI4b32dBrjXsNQ3ROzR1oPjFraw9CKYX8%7Ce4f076c4b346837ae26157deaab9f033ced2556f0b6eea9af3adca12a80d2c98; wordpress_logged_in_310142781ea73d9d3e9aa09f8a7b34a4=synthman%7C1475119997%7CzFgZ5I8lpfKJPitpgQPJAX0BLSNniU539HHQ6Alh7jE%7Cea181a5e568b6109907bd01bd6c74442e7f7aad0de35a38eb922680b465bda27; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_655473845d827a39cf0bb85b02dc7121=synthman%7C1475261097%7CI37vuCZlRJOI4b32dBrjXsNQ3ROzR1oPjFraw9CKYX8%7C069a24bbc7405e68b08b994010c313109f5979370997dfafd706a56a6bca39f5; __cfduid=d4f8825d883e53e78f2cb9e90de7d2fc81474051498; wp-settings-3=editor%3Dtinymce%26mfold%3Do; wp-settings-time-3=1474064463
dnt:1
origin:https://65chero.com
referer:https://65chero.com/wp-admin/options-general.php?page=cloudflare
user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.113 Safari/537.36

Query String Parameters
action=cloudflare_proxy

Can you try adding:
$isCSRFTokenValid = false;
above line 57 on proxy.php so it looks like this:

//before
if ($request->getMethod() === 'GET') {
    $isCSRFTokenValid = true;
}
//after
$isCSRFTokenValid = false;
if ($request->getMethod() === 'GET') {
    $isCSRFTokenValid = true;
}