Mac1 Posted August 29, 2020 Share Posted August 29, 2020 (edited) After updating core to 4.5 my own custom app has problems. In ACP, in my ACPs app modules, when i put some &request to URL there appears an CSRF error. For example: admin/?app=something&module=main&controller=something - works good admin/?app=something&module=main&controller=something&request=1 - appears CSRF error It appears only to my own app which im now creating and after updating IPS to 4.5. Before IPS update it was working like a charm.. I have tried: Rebuilding an app Clearing cache Creating new theme / using default theme Restarted php/nginx Tried to find errors in my app Tried to update today IPS to 4.5.1 and problem still exists. I have seen in IPS 4.5 there is no &addsess in ACP URIs but probably that's not a reason Edited August 29, 2020 by Mac1 Link to comment Share on other sites More sharing options...
Adriano Faria Posted August 29, 2020 Share Posted August 29, 2020 You have to add this to your Admin CP controllers: public static $csrfProtected = TRUE; That’s because they removed the session ID from ACP URLs. Mac1 1 Link to comment Share on other sites More sharing options...
Mac1 Posted August 29, 2020 Author Share Posted August 29, 2020 5 minutes ago, Adriano Faria said: You have to add this to your Admin CP controllers: public static $csrfProtected = TRUE; That’s because they removed the session ID from ACP URLs. Thank you very much! Link to comment Share on other sites More sharing options...
Adriano Faria Posted August 29, 2020 Share Posted August 29, 2020 (edited) By the way, that’s not all. You’ll have to add the CSRF checking in all your links for the same matter, otherwise anyone that knows URLs from your ACP controllers will be able to “execute” them. So in your links and buttons, add: \IPS\Http\Url::internal( "app... ...&do=something”)->csrf(); Then on something(), you start with: \IPS\Session::i()->csrfCheck(); confirmedDelete() should be used you try to delete something and used the data-confirm in links or 'data' => array( 'delete' => '' ) in buttons . Take a look in any official app ACP controllers. Edited August 29, 2020 by Adriano Faria Link to comment Share on other sites More sharing options...
Stuart Silvester Posted August 29, 2020 Share Posted August 29, 2020 Have a read of this document, it covers the CSRF protection requirements Link to comment Share on other sites More sharing options...
Recommended Posts