CSRF Protection issue

[Joey_M]

I have uploaded the latest available themes I use, but it happens on the default skin too.

Quote

The CSRF protection key did not match. This may indicate a plugin or theme is out of date. Please contact technical support for more information.

 

[Daniel F]

Where / when do you see this? 

[Joey_M]

When I login using my phone - only then.

Edited February 11 by Joey_M

[Joey_M]

I need to speak with @Ehren.

It's caused by the mobile menu in-built in his IPS Focus themes. 🙂 

[Joey_M]

Honestly, I don't know what the heck is happening, but it is now doing it from the IPS menu. 🤷🏻‍♂️

-Edit-

Default seems okay.

@Ehren would you be able to check my site and the themes of yours I use? I get this CSTF Protection Error.

It only happens when I log in via the responsive mode.

It seems to always occur from the mobile menu, if you click login and do so - after you get the message.

It's weird, as it happens from the IPS menu and then doesn't.

Edited February 11 by Joey_M

[Marc Stridgen]

You may be better to report the issue via the support channels for that specific theme

[Joey_M]

Aye, I did Marc. 👍🏻

Only issue, it's not Ehren's theme at fault. It happens on his site, but also here. It's related to Android devices; I can replicate the issue here.

IPS Focus and on my own site.

Not just with one device, multiple. Yesterday, I asked some friends (at a live game) if they would sign in for me. Everyone who used an Android device got an error 'Something went wrong' which I think had they had my permission would show the same error as me. Nobody with an iPhone had the message at all.

I have a screen recording, I'll grab two more showing it happens here too. (though I don't want to publicly share the video, so if I could have an email or I am allowed to drop a PM or another means of restricting content to a team member only that would be appreciated).

After the issue I had today, I switched to the freshly installed default theme and it happens with that. Which is what prompted me to try here also.

[Jim M]

Is an unmodified theme still acting fine? I would suggest setting that as your default theme and disabling all third party applications/plugins then trying to reproduce this again. 

Also, what browser is being used here and Android version?

[Joey_M]

8 minutes ago, Jim M said:

Is an unmodified theme still acting fine? I would suggest setting that as your default theme and disabling all third party applications/plugins then trying to reproduce this again. 

No more, it seemed to be fine after I cleared my cache, but I noticed it happens still with an unmodified. default theme.

All my plugins and applications are disabled.

I've re-cleared my site and browser cache.

As I say, it happened to mutliple Android users yesterday.

I'm running Android 12 (SKQ1.211006.001)

But it happens on my old phones Android 8.1 and Android 10. My wife's device is Android 13, my sons is also. My two daughters have Android 12.

No idea what version of Android my friends tested yesterday but going off my family it seems to be Android related rather version based.

-Edit-

Facebook/Twitter/Google Connect aren't affected, just when using the sign in form.

 

Edited February 15 by Joey_M

[Jim M]

What browser is this in?

[Joey_M]

Chrome (V. 109.0.541414.118) is what my main device runs.

[Jim M]

5 minutes ago, Joey_M said:

Chrome (V. 109.0.541414.118) is what my main device runs.

If you upgrade to 110, do you still have the issue?

[Joey_M]

The update is available for me yet.

Edited February 15 by Joey_M

[Joey_M]

I think this might be useful for you guys; I uninstalled the patch which took me to 109.

I'm now on 103 without issue.

On here, my site and IPS Focus I have tested login in and out. No issues.

I'm tempting fate by updating the app back to 109.

109 is the issue.

First login its back. 😞

I tried installing 110 updates from a trust site, but my Chrome would just crash. 

[Nathan Explosion]

If you ever want to test later versions of Chrome safely, install Chrome Beta (which is the 'Next' version) and Chrome Dev (which is the next beta) from the Google Play store. 3 separate browsers, thrice the fun!

 

[Joey_M]

Thank you, Nathan.

The beta version of 111 runs fine (without the CSRF issue).

Edited February 15 by Joey_M

[Marc Stridgen]

10 hours ago, Nathan Explosion said:

If you ever want to test later versions of Chrome safely, install Chrome Beta (which is the 'Next' version) and Chrome Dev (which is the next beta) from the Google Play store. 3 separate browsers, thrice the fun!

 

One drives me insane enough 😄 

[Joey_M]

@Marc Stridgen @Jim M

I updated 110, the issue stopped but now its persisting again. I have disabled all the plugins, cleared the cache, uninstalled and reinstalled the app.

The CSRF error when signing in has started happening again.

Default theme and all, including the ones installed when recovering the site after I enabled all the plugins recently by mistake (which you guys fixed). There's something going on.

[Joey_M]

With a fresh install of 110, it does sign in okay but only for the first time.

Every repeated attempt after gets the CSRF error.

[Marc Stridgen]

If 111 is working, it seems it must be a bug with Chrome in some way. I cant replicate it unfortunately in order to suggest anything else

[Joey_M]

Yes, 111 works fine.

It's driving me crazy that it happens, it may be when an update is due to be released - as last time I wasn't that long after but it's one of those moody frustrating bug bears. 

[Joey_M]

Is IPS running any beta or higher version than what clients currently have access too?

The reason I ask is it happens on Ehren's site (IPS Focus) which I would assume is running v4.7.7. I tried several times to log in and out here, it doesn't happen.

Which leads me to think the issue could've been patched somehow.

[Marc Stridgen]

I dont understand what you mean there. We are 4.7.8 beta 1, but that doesnt necessarily mean that Ehrens is.

[Joey_M]

3 hours ago, Marc Stridgen said:

I dont understand what you mean there. We are 4.7.8 beta 1, but that doesnt necessarily mean that Ehrens is.

It doesn't happen here, not anymore.

I'm saying it seems to be fixed, as Ehren should be on the same version as me. It's the only IPS site I know which runs the same version as me that I have login for.

 

Edited February 27 by Joey_M

[Jim M]

Glad to hear it seems to be fixed.