Security Token

From Dolibarr ERP CRM Wiki
Jump to navigation Jump to search

MAIN_SECURITY_CSRF_WITH_TOKEN


from https://github.com/Dolibarr/dolibarr/issues/16626:


When you have such a trouble, it means:

You have an external module or a custom development that introduce an Ajax, a CSS page or a javascript file that make a renewal of the token when it should not (in 90% of cases), or you have a page of an external module that send a POST request or a GET for a critical action without providing the token (in 10% of case).

You must try this:

  • First go into home - setup - other and check that MAIN_FEATURES_LEVEL is set to 0 or not set at all instead of 1 or 2 (when MAIN_FEATURES_LEVEL is 1 or 2, there is other protection mechanism that are not stable).
  • If you still have the problem, you must disable external modules (try to do it one by one to find the bugged module. It may be several external modules). If are not able to disable a module from interface, you can try to disable the security check into conf/conf.php by:
  • setting $dolibarr_nocsrfcheck to 1 instead of 0 (warning, your instance is no more protected against CSRF attacks)
  • setting the constant CSRFCHECK_WITH_TOKEN = 0 into home - setup - other If it is not enough and you are still not able to disable external module, you can try by removing directly the directory of the eternal modules stored inside the /custom directory. You can then call this url to clean external modules not correctly removed that still have a bugged files that are loaded. /install/repair.php?force_disable_of_modules_not_found=confirmed (you may need to remone the documents/install.lock before)

Don't forget, this is not a bug into Dolibarr but into external files that are not secured or that does implement correctly the security (every ajax, css and js pages of external module must have the define('NOTOKENRENEWAL') in top of their files. Also, any link that have a parameter action=add, action=update, action=delete should also contains the &token=...).

If you modify the code of Dolibarr to bypass the protection or if you keep the dolibarr_nocsrfcheck to 1 or CSRFCHECK_WITH_TOKEN to 0, you are no more protected (at least, no more against CSRF attacks).

With v13.0.2, when the module syslog is enabled, you will also find into the dolibarr.log a line

NEW TOKEN reclaimed by : name of page

Retrieved from "https://wiki.dolibarr.org/index.php?title=Security_Token&oldid=50124"