cookie law consent CSRF error

bert limerkens asked on August 9, 2016 11:03

Hey guys,

I'm having trouble implementing the Cookie law consent web part. When I try to click on allow cookies in any browser but Chrome I get referred to a system error page. After looking in the Eventlogs i found this error:

Message: CSRF attack detected.

Exception type: CMS.Protection.CsrfException Stack Trace: at CMS.Protection.CsrfProtection.ValidateCsrfTokens(Byte[] cookieToken, Byte[] hiddenFieldToken) at CMS.Protection.CsrfProtection.OnPostMapRequestHandlerExecute(Object sender, EventArgs eventArgs) at CMS.Base.AbstractHandler.CallEventHandler[TArgs](EventHandler1 h, TArgs e) at CMS.Base.AbstractHandler.Raise[TArgs](String partName, List1 list, TArgs e, Boolean important) at CMS.Base.SimpleHandler2.RaiseExecute(TArgs e) at CMS.Base.SimpleHandler2.RaiseExecute(TArgs e) at CMS.Base.SimpleHandler`2.StartEvent(TArgs e) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

I did not change any settings of this web part. I Checked the parent to see if viewstate was disabled but it wasn't.

Does anyone have an idea on how to solve this problem?

Cheers

Correct Answer

Dennis Hulsmans answered on October 18, 2016 14:10

We reported this to the support, they gave us some kind of work around, but now it seems to be a bug !

Bug seems to be fixed in hotfix 44:

Security - Errors when using cookie consent web parts If the system disabled cookies for a user via the 'Simple cookie law consent' or 'Cookie law consent' web part, an error (CSRF exception) occurred for each post request (button clicks, form submissions, etc.). The hotfix resolves the problem by changing the cookie level of the 'CMSCsrfCookie' cookie to 'System'.

9.0.44

1 votesVote for this answer Unmark Correct answer

Recent Answers

Chetan Sharma answered on August 9, 2016 11:28

Did you check the event logs? What is being logged there? That might give you the clue. What is the format of your URL causing this?

0 votesVote for this answer Mark as a Correct answer

bert limerkens answered on August 9, 2016 11:44

Yes I did check the event logs. The log is what I posted in my question:

Message: CSRF attack detected.

Exception type: CMS.Protection.CsrfException Stack Trace: at CMS.Protection.CsrfProtection.ValidateCsrfTokens(Byte[] cookieToken, Byte[] hiddenFieldToken) at CMS.Protection.CsrfProtection.OnPostMapRequestHandlerExecute(Object sender, EventArgs eventArgs) at CMS.Base.AbstractHandler.CallEventHandler[TArgs](EventHandler1 h, TArgs e) at CMS.Base.AbstractHandler.Raise[TArgs](String partName, List1 list, TArgs e, Boolean important) at CMS.Base.SimpleHandler2.RaiseExecute(TArgs e) at CMS.Base.SimpleHandler2.RaiseExecute(TArgs e) at CMS.Base.SimpleHandler`2.StartEvent(TArgs e) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

0 votesVote for this answer Mark as a Correct answer

Chetan Sharma answered on August 9, 2016 13:14 (last edited on August 9, 2016 13:14)

Hi Bert, Mind sharing the url parameters? Seems like something wrong with value getting passed through one of the parameters. The below documents has discussed various reasons for CSRF attack and possible solutions.

https://docs.kentico.com/pages/viewpage.action?pageId=1835415

Devnet Article on CSRF

Thanks, Chetan

1 votesVote for this answer Mark as a Correct answer

Michal Samuhel answered on August 9, 2016 13:21

Hello Bert,

Can you check if there is a CMSCsrfCookie created in all browsers. This protection is cookie based to ensure that POST requests are coming from same source that received the page. It is essential to permit at least essential cookies(This sounds like a bad pun...).

If I would have to guess either the cookie is not created at all because the cookie level is incorrectly stored or there is some problem with creating cookie value. If it was global problem I would be tempted to advice setting machine key and checking for web farms and offloading, but as you have said it happens outside of chrome it looks like only cookie problem with browsers.

1 votesVote for this answer Mark as a Correct answer

bert limerkens answered on August 9, 2016 16:30

Hello Michal, Chetan,

I have checked it in Firefox and there the CMSCsrfCookie is not created. So it seems this is causing the error. Is there a reason why it does not create this cookie in the other browsers? Is it a wrong setting?

Chetan, what do you mean with URL parameters?

0 votesVote for this answer Mark as a Correct answer

Michal Samuhel answered on August 10, 2016 16:48

Hi Bart,

This really seems to be a problem in a browser, but I can only guess why it is blocking cookie creation. Only thing that could block it from Kentico side of view would be CMSCookieLevel cookie which on levels below 0 blocks other cookie creation.

0 votesVote for this answer Mark as a Correct answer

Matthias Lichter answered on November 3, 2016 13:09

If You set the "Default user cookie level" to "No cookies" in the "Simple cookie law consent" web part, the CMSCookieLevel cookie is set to -100 preventing the CMSCsrfCookie to be set. Workaround: Set the level to "Only essential cookies" and "Compare current cookie level to" to "All cookies".

If You have a login (admin or frontend) before CookieConsent this is no problem because the csrf cookie ist set on login.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.