Symfony2: Invalid CSRF token while remember me authentication

Question

I have application written in Symfony 2.8.11 and FosUserBundle 2.0.0-beta1. User can connect to the site via VPN or basic auth. Mostly they use Internet Explorer 11 on Windows 7. Some of them are experiencing a Invalid CSRF token issue in random form inside site. The problem is that users can't submit form, even after refresh the page a few times.

I suspect that the problem is caused by the continuous refreshing of the session, from logs:

{
    "created":1483610056, 
    "lastUsed":1483610056
} ["csrf","session_times"] []

Further, I suspect that it is caused by authentication by remember me token (every issue has been authenticated by that token):

[2017-01-05 10:54:16] security.DEBUG: Remember-me cookie detected. [] []
[2017-01-05 10:54:16] security.INFO: Remember-me cookie accepted. [] []
[2017-01-05 10:54:16] security.DEBUG: Populated the token storage with a remember-me token. [] []

My security config:

...
main:
    pattern: ^/
    form_login:
        provider: fos_userbundle
        csrf_token_generator: security.csrf.token_manager
        # if you are using Symfony < 2.8, use the following config instead:
        # csrf_provider: form.csrf_provider
    logout:       true
    anonymous:    true
    remember_me:
        name: "%session_cookie_remember_name%"
        domain: "%session_cookie_domain%"
        key:      "%secret%"
        lifetime: 604800
        path:     /
    switch_user: true
...

Is it possible that the session restarts every time page is load and remember me authenticate it? Is it bug or correct behavior? How can I get rid of the csrf invalid token issue?

Full logs from one page request when the issue arrived:

[2017-01-05 10:54:16] request.INFO: Matched route "fos_user_profile_show". 
{
    "route_parameters":{
    "_controller":"AppBundle\Controller\ProfileController::showAction",
    "lang":"pl",
    "_route":"fos_user_profile_show"
    },
    "request_uri":"..."
} []
[2017-01-05 10:54:16] security.DEBUG: Remember-me cookie detected. [] []
[2017-01-05 10:54:16] security.INFO: Remember-me cookie accepted. [] []
[2017-01-05 10:54:16] security.DEBUG: Populated the token storage with a remember-me token. [] []
[2017-01-05 10:54:16] app.DEBUG: 
{
    "USER":"www-data",
    "HOME":"/var/www",
    "HTTP_COOKIE":"safeId=51081905; nlPopup=shown; cookieInfo=1; __cfduid=d7b03b629331902c712642a374b52b3711476715148; auth=1a2dd1f7a8b16bf7d31988bf968748b5; VMREMEMBERME=QXBwQnVuZGxlXEVudGl0eVxVc2VyOmMydHNaWEF6TkRKQVluSmhibVJpY1M1d2JBPT06MTQ4NDA1MjAxNzoyODM1NWViMThkN2EwMDQ2MGUzNzVmNzg4ZGYwYWE2NzliNTcwOGJiY2E4ZDk0ZGE4YzJhZTFmZTRlMThlMjhh; VMSESSID=4oupq2fgt72vc8lnqff0g9op44",
    "HTTP_CONNECTION":"Keep-Alive",
    "HTTP_DNT":"1",
    "HTTP_HOST":"sub.domain.com",
    "HTTP_ACCEPT_ENCODING":"gzip, deflate",
    "HTTP_USER_AGENT":"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
    "HTTP_ACCEPT_LANGUAGE":"pl-PL",
    "HTTP_ACCEPT":"text/html, application/xhtml+xml, */*",
    "SCRIPT_FILENAME":"/data/www/project/web/app.php",
    "REDIRECT_STATUS":"200",
    "SERVER_NAME":"sub.domain.com",
    "SERVER_PORT":"80",
    "SERVER_ADDR":"x.x.x.x",
    "REMOTE_PORT":"x",
    "REMOTE_ADDR":"x.x.x.x",
    "SERVER_SOFTWARE":"nginx/1.10.0",
    "GATEWAY_INTERFACE":"CGI/1.1",
    "REQUEST_SCHEME":"http",
    "SERVER_PROTOCOL":"HTTP/1.1",
    "DOCUMENT_ROOT":"/data/www/project/web",
    "DOCUMENT_URI":"/app.php",
    "REQUEST_URI":"...",
    "SCRIPT_NAME":"/app.php",
    "CONTENT_LENGTH":"",
    "CONTENT_TYPE":"",
    "REQUEST_METHOD":"GET",
    "QUERY_STRING":"...",
    "FCGI_ROLE":"RESPONDER",
    "PHP_SELF":"/app.php",
    "REQUEST_TIME_FLOAT":1483610056.9177,
    "REQUEST_TIME":1483610056
} ["csrf","server"] []
[2017-01-05 10:54:16] app.DEBUG: 
{
    "safeId":"51081905",
    "nlPopup":"shown",
    "cookieInfo":"1",
    "__cfduid":"d7b03b629331902c712642a374b52b3711476715148",
    "auth":"1a2dd1f7a8b16bf7d31988bf968748b5",
    "VMREMEMBERME":"QXBwQnVuZGxlXEVudGl0eVxVc2VyOmMydHNaWEF6TkRKQVluSmhibVJpY1M1d2JBPT06MTQ4NDA1MjAxNzoyODM1NWViMThkN2EwMDQ2MGUzNzVmNzg4ZGYwYWE2NzliNTcwOGJiY2E4ZDk0ZGE4YzJhZTFmZTRlMThlMjhh",
    "VMSESSID":"4oupq2fgt72vc8lnqff0g9op44"
} ["csrf","cookies"] []
[2017-01-05 10:54:16] app.DEBUG: 
{
    "cookie":[
        "safeId=51081905; nlPopup=shown; cookieInfo=1; __cfduid=d7b03b629331902c712642a374b52b3711476715148; auth=1a2dd1f7a8b16bf7d31988bf968748b5; VMREMEMBERME=QXBwQnVuZGxlXEVudGl0eVxVc2VyOmMydHNaWEF6TkRKQVluSmhibVJpY1M1d2JBPT06MTQ4NDA1MjAxNzoyODM1NWViMThkN2EwMDQ2MGUzNzVmNzg4ZGYwYWE2NzliNTcwOGJiY2E4ZDk0ZGE4YzJhZTFmZTRlMThlMjhh; VMSESSID=4oupq2fgt72vc8lnqff0g9op44"
    ],
    "connection":[
        "Keep-Alive"
    ],
    "dnt":[
        "1"
    ],
    "host":[
        "sub.domain.com"
    ],
    "accept-encoding":[
        "gzip, deflate"
    ],
    "user-agent":[
        "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
    ],
    "accept-language":[
        "pl-PL"
    ],
    "accept":[
        "text/html, application/xhtml+xml, */*"
    ],
    "content-length":[
        ""
    ],
    "content-type":[
        ""
    ],
    "x-php-ob-level":[
        1
    ]
} ["csrf","headers"] []
[2017-01-05 10:54:16] app.DEBUG: [] ["csrf","session"] []
[2017-01-05 10:54:16] app.DEBUG: 
{
    "created":1483610056,
    "lastUsed":1483610056
} ["csrf","session_times"] []
[2017-01-05 10:54:16] app.DEBUG: 
{
    "name":"xxx",
    "address":"xxx",
    "city":"xxx",
    "phoneNumber":"xxx",
    "lang":"xx",
    "save":"",
    "_token":"ms-TX5_Du6lh3BqV2RB2CvQaEJ8WzuPBCeduAJox3ik"
} ["csrf","data"] []
[2017-01-05 10:54:16] security.DEBUG: Stored the security token in the session. {"key":"_security_main"} []

Symfony2: Invalid CSRF token while remember me authentication

Answers (1)

Related Questions