0

We are receiving a Csrf validation error with CKFinder on POST requests. After much struggle we debugged the process flow with .NET reflector and found that Csrf Validation is failing in Connector.

As a temporary workaround we set this.EnableCsrfProtection = false; in the configuration file but it looks very lame.

How do I fix this problem he right way?

To Ka
  • 640
  • 8
  • 24
  • 1
    Just a quick check: any chance that the server side has just been updated but the client side part (JavaScript) is still served by the browser from cache? In such case the frontend would not send the token while the updated server part would be looking for it. – Wiktor Walc Dec 22 '15 at 16:24
  • @WiktorWalc No, I'm on a dev machine in visual studio / chrome. I did try restarting the devsever and cleard chrome cache a few times though, but it did not help. Can you give me any suggestions regarding how to debug the problem? – To Ka Dec 22 '15 at 16:29
  • 1
    1. Are you simply using CKFinder features like creating a folder, using an "out of the box" version of CKFinder? 2. Check network tab in a browser and inspect requests sent by the browser to the connector. The request to the connector should have a cookie and a POST parameter with the same value (added automatically by CKFinder, if CSRF protection is enabled). – Wiktor Walc Dec 22 '15 at 16:44
  • @WiktorWalc I had to switch to another project for a while. I will check that and see how it goes. Thank you. – To Ka Jan 05 '16 at 20:01

1 Answers1

3

My reputation is too low to comment, so I'm posting this as an answer.

Do you have problem with using client application or with sending requests by yourself?

If this is the first case try to clear your browser cache. It may be that outdated scripts are taken from there instead of being downloaded.

If this is the second one be sure to include cookie named ckCsrfToken and form parameter ckCsrfToken with the same (non-empty) value.

kfazi
  • 617
  • 1
  • 9
  • 21
  • I am not sure I understood what you mean. I am not settings any form vars or cookie. Everything is handled inside CKFinder. It is a closed library. – To Ka Dec 22 '15 at 16:31
  • 1
    What I meant was do you have problems with using the GUI or with sending requests by yourself (for example in some plugin). It looks like you are just using the GUI. Another thing that comes to my mind is that something might went wrong when you did the update. Could you open the `ckfinder.js` file in your browser and check that `CKFinder.version` is `2.6.0`? If it's lower it means that you are still using old version of the GUI. – kfazi Dec 23 '15 at 12:13
  • Sorry for the late reply. I am using GUI, I am not sending the request manually and I did download the latest version. – To Ka Jan 05 '16 at 20:00