spring security CSRF protection - spring

I read in spring documentation that logout need to be submitted using post method.Something like :
<c:url var="logoutUrl" value="/problemSolution/logout"/>
<form action="${logoutUrl}" id="logout" method="post">
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
Logout
Why is it so ?

Because if it's a GET then someone else can log you out, which is annoying.
You go to compromised.com
They run a script that makes a GET request to yourbank.com/logout
You are logged out of yourbank.com

Related

Laravel page expired 419 only sometimes

I have a view in my Laravel application that has a form with the #csrf inside. The problem is that I faced the 419 Page expired exception only sometimes. When I refreshed the page, the login page appeared and after login, a few times the form submission was done successfully but again, 419 occurred.
I saw the other topics. All of them told that the solution is adding the #CSRF directive to the form.
But in my special case, the #CSRF exists.
Help me please.
Update
Here is a part of my source code. It's a simple html form with the #CSRF inside it.
<form method="POST" action="/settingUrl">
#csrf
<input type="text" name="myfield" />
<input type="submit" value="save" />
</form>

Laravel - 419 issues when Submit Form

I have problems when submitting a form in Laravel application. It reported 419 error.
My code:
<form action="login" method="POST">
<input id="csft_pass" type="hidden" name="_token" value="{{ csrf_token() }}">
.....
</form>
I tried fixing it:
<form action="login" method="POST">
#csrf
.....
</form>
But still, error 419
With the above code still running normally, suddenly there was an error today
I tried many ways like php artisan cache:clear but still not solve the issue.
My Laravel version: 5.8
UPDATE: I tried a lot of solutions on stackoverflow but still can't solve it. I think that because the application's session has something wrong
After form tag use csrf_field.
{{ csrf_field() }}
And if you are using ajax you may pass csrf token on meta tag like.
<meta name="csrf-token" content="{{ csrf_token() }}">
You can use the csrf_field helper to generate the token field:
<form method="POST" action="/login">
#csrf
...
</form>
OR
<input type="hidden" name="_token" value="{{ csrf_token() }}">
It doesn't work, then Refresh the browser cache and now it might work.
Why required: Refresh the browser cache
When we update our application, a browser may still use old files. If you don’t clear your cache, Old files can access problems when you apply.
For more details open link :- Error - 419 Sorry, your session has expired
With the above code still running normally, suddenly there was an error today
This makes me suspect the error occurs only when the form was opened for more than two hours (that's the default of lifetime in config/session.php) before submitting.
If that's the case, you could set a value of more than 120 minutes as lifetime or do something in frontend to keep the session alive, such as some custom JavaScript (for single forms) as described in the selected answer to this thread or Laravel Caffeine (for whole apps)
Replace these lines
<input type="hidden" name="_token" value="{{ csrf_token() }}">

GSA Cookie Auth - "Login form doesn't have both text and password inputs"

I can't seem to find out what's wrong with the login form I'm using to setup cookie authentication, the GSA throws me this error (serving log) after submitting my credentials in universal login form:
Got form; name=customlogin clientLogin; action=/content/marketing/en/login/j_security_check; type=hidden, name=resource; type=hidden, name=_charset_; type=hidden, name=j_username; type=hidden, name=j_password
Login form doesn't have both text and password inputs
Error in authentication module: Login form doesn't have both text and password inputs
Here is the form I'm using:
<form method="POST" action="/content/marketing/en/login/j_security_check" id="form_customlogin" name="customlogin clientLogin" enctype="multipart/form-data" onsubmit="return cq5forms_validate_customlogin();">
<input type="hidden" name="resource" value="/content/operations/apps/en.html" />
<input type="hidden" name="_charset_" value="UTF-8" />
<input id="username" type="hidden" name="j_username" value="anonymous-user" />
<input id="password" type="hidden" name="j_password" value="anon" />
<p>
Or go straight through as a
guest
(limited access)
</p>
</form>
Does anyone have knowledge on how a form has to be built in order for the GSA to use it? It'd be very welcome.
Thanks in advance!
EDIT: Apparently, inputfilds user/pw must have type username and password, they can't be hidden.
This was already a feature request.
The username field will have to be type="text", there is no type="username". Out of curiosity, why would you have them hidden?
Very often, when you have complicated login forms, your best bet is to create a separate login form just for the GSA that doesn't include any JavaScript or other wackiness.

spring error login page

I have an application error page which has a log form. I want user to login using this form but the system throw
"HTTP Status 405 - Request method 'POST' not supported"
I am able to login using my application login screen but when I try to login from the error page it not allow me, following is my form configuration:
login and erro page form
<form name='f' action="<c:url value='j_spring_security_check' />"
method='POST'>
<label>User Name</label><input type='text' name='j_username' value=''><br/>
<label>Password</label><input type='password' name='j_password' /><br/>
<button type="submit" style="margin-bottom:10px">Login</button><br/>
<button type="reset">Reset</button>
</form>
How should I define multiple forms in spring security??
Your url in the page is wrong, currently it maps to j_spring_security_check in the current directory, whereas j_spring_security_check is only available on the root of your application. So when you are chaning to your error page and try to login again the URL the POST request goes to will be something like /YourApp/error404/j_spring_secrity_check.
Change it to <c:url value="/j_spring_security_check"/> (notice the additional /). This will instruct the url tag to create a URL always pointing to the root of your application.

google checkout integration - codeigniter

I have site built in codeigniter framework.
I want to use google checkout.
I have used this code to transfer fund but I need something returned so that I can know that transfer is successful and then enter values to my database.
I am not sure how to do that.
Can anyone show me step by step how to do that?
My form :
<form action="https://sandbox.google.com/checkout/api/checkout/v2/checkoutForm/Merchant/xxxxxxx" id="BB_BuyButtonForm" method="post" name="BB_BuyButtonForm" target="_top">
<input name="item_name_1" type="hidden" value="Deposite"/>
<input name="item_description_1" type="hidden" value="Money Deposite"/>
<input name="item_quantity_1" type="hidden" value="1"/>
<input name="item_price_1" type="text" value="30.0"/>
<input name="item_currency_1" type="hidden" value="USD"/>
<input name="_charset_" type="hidden" value="utf-8"/><br />
<input alt="" src="https://sandbox.google.com/checkout/buttons/buy.gif?merchant_id=xxxxxxxx&w=117&h=48&style=white&variant=text&loc=en_US" type="image"/>
</form>
...but I need something returned so that I can know that transfer is successful and then enter values to my database...
The Google Checkout API calls that "Part 2" or "Process Checkout Orders".
Here's a tutorial using their Java lib. Note that it doesn't mean you "have" to use this (or any) specific lib, it just shows you the flow.
Other libs are here.

Resources