Description
"Invalid CSRF token" error during login on frontend.
Steps:
- Deploy eZ Commerce 2.5 or Ibexa Commerce 3.3 on platform.sh (setup with varnish).
- Log in on frontend, type of user is not relevant. NOTE: issue starts occurring after some time e.g. ~2h (probably when token expires).
Actual result: Login is not possible, "Invalid CSRF token." error occurs. (Workaround is to invalidate tags with e.g. php bin/console fos:httpcache:invalidate:tag ez-all)
Result of analysis by damian.zabawa@ibexa.co:
Probably caused by this piece of code https://github.com/ezsystems/ezcommerce-shop/blob/master/src/Silversolutions/Bundle/EshopBundle/Resources/public/js/app.js#L421.
Below more details, translation from Polish:
In the background a request is made to
2.5: /api/session/status/session
3.3: /api/session/status
and a newly generated session is returned but is not used in the "session".
\Silversolutions\Bundle\EshopBundle\Controller\SessionController::getSessionDataAction
the $csrfTokenIntention is passed to getCsrfToken but there a token is expected maybe that's why it's not found and a new one is generated.
Designs
Attachments
Issue Links
- discovered while testing
-
IBX-819 As an Administrator, I want to use short persistence cache tags to save memory usage
- Closed