Suggestion: Better CSRF error handling (triggered with HttpOnly cookies and HTTP Header authentication)

[vletoux]

This is a (multiple allowed):

• bug

• enhancement

• feature-discussion (RFC)

• CakePHP Version: c31bb4b - the latest version used in MISP

• Platform and Target: Debian 4.19.269-1 (2022-12-20) x86_64 GNU/Linux

What you did

HttpOnly session cookies were implemented in our MISP installation. This installation also used authentication headers (SAML2 with mellon plugin).

As a consequence, the page to "populate from " ... " Freetext import" loaded.
When submitting the attribute, the page fails with The request has been black-holed - CSRF token mismatch

What happened

We searched a lot on the MISP issue page on github and found no similar issues.

We debugged the code trying to understand the error.
We dumped the data at this place:

cakephp/lib/Cake/Controller/Component/SecurityComponent.php

Line 776 in c31bb4b

$token = $this->Session->read('_Token');

the $token appears to be null

As a consequence, the code goes here

cakephp/lib/Cake/Controller/Component/SecurityComponent.php

Line 784 in c31bb4b

throw new SecurityException('CSRF token mismatch');

and the CSRF error is triggered.

Indeed, the POST is triggered by jquery and because the session cookie in HttpOnly, the jquery code cannot access it.
Because we are using authentication headers for authentication, it reuse the authentication headers to create a new session and the CSRF code cannot work with 2 sessions instead of one.

What you expected to happen

What would have save a lot of time for us is a better error message.

We can see here a defensive programming check for requesttoken:

cakephp/lib/Cake/Controller/Component/SecurityComponent.php

Lines 779 to 782 in c31bb4b

	if (!$requestToken) {
	throw new SecurityException('Missing CSRF token');
	}

But nothing for token.
Maybe do something like:

if (!$token) {
	throw new SecurityException('No CSRF token found stored in session. Old session or HttpOnly Cookie ?');
}