Token generation mismatch: hidden input does not match the session variable

[jamespsterling]

Inputs on form,

<!--
--><input type="hidden" name="_CSRF_INDEX" value="v6Dzi3KrRDV68kNdPFCES+UU"><!--
--><input type="hidden" name="_CSRF_TOKEN" value="wLoNJygvlKTxBEuhTa/WCjnvtoYldgmTet7MsFQlXU0=">

Session variables dumped at the end of page,

array(1) {
  ["CSRF"]=>
  array(1) {
    ["v6Dzi3KrRDV68kNdPFCES+UU"]=>
    array(4) {
      ["created"]=>
      int(20160114152843)
      ["uri"]=>
      string(1) "/"
      ["token"]=>
      string(44) "T0kXM8I9nzUFv3w7flJTlbOjFa1OEMNR+5xwnHvpqr4="
      ["lockto"]=>
      string(5) "login"
    }
  }
}

[paragonie-scott]

What is the value of protected $hmac_ip?

[ncou]

Hi,

Same thing here. the token set in session is different from the value in the hidden text field.
The _CSRF_INDEX is the same in session and in the hidden text field.

The validateRequest return "TRUE" even if the value in the field is different from the value session.

$hmac_ip is TRUE

[ncou]

After a quick debug, it's because hmac_ip is TRUE.

If set to false, the token value in the hidden field is the same than in the session.

[paragonie-scott]

Yep. What this feature does is, instead of just placing the CSRF token in the form output, it outputs hash_hmac('sha256', $IPaddress, $csrfToken).

anti-csrf/src/AntiCSRF.php

Lines 162 to 174 in 606274f

	if ($this->hmac_ip !== false) {
	// Use HMAC to only allow this particular IP to send this request
	$token = $this->encode(
	\hash_hmac(
	$this->hashAlgo,
	isset($this->server['REMOTE_ADDR'])
	? $this->server['REMOTE_ADDR']
	: '127.0.0.1',
	\base64_decode($token),
	true
	)
	);
	}

I'm tagging this as a documentation bug.