Support » Plugin: Cloudflare » Invalid CSRF Token on 3.0.1

  • Am running CF 3.0.1 on an http site and https (the latter with a CF certificate). DNSSEC is active.

    Both sites run fine, but I cannot change any setting on the 3.0.1 CF plug, and get the red crawl bar that says “CSRF Token is invalid”. I’ve re-logged in multiple times, with my authorized email and Global API key (not the CA key).

    Could this be a cache issue? Maybe because 2-factor is on?

Viewing 15 replies - 31 through 45 (of 64 total)
  • Two steps forward, one step back…

    That’s not true. I was able to replicate “Invalid CSRF Token” error by downloading InfiniteWP.

    it threw a fatal error (red box at the top of Plugins admin page)

    – Could you post the error message?
    – Could you post the PHP error logs in your server?
    – Could you post the error logs in developer tools?

    JQMIGRATE: Migrate is installed, version 1.4.1

    This is not an error message. It’s a warning message. You can ignore it.

    Thanks

    AHH! I have Infinite WP installed as well

    Hey Guys,

    So yeah @furkan811 figured out the root cause to this yesterday. Here is what happens:

    For non GET requests we get the body of the request like this:

    $body = file_get_contents('php://input');

    Unfortunately php://input can only be read once, so if another plugin reads it before us then our request body won’t exist when our code goes to look for it. The requests with CSRF tokens are sent from our plugin and intended to be consumed by our plugin so any 3rd party WordPress plugins that modify these requests will have to be updated to limit the scope of requests they modify or put the input stream back after they use it. There is nothing we can do to fix this issue.

    Thanks,
    John

    Thread Starter Steve Cunningham

    (@synthman)

    Glad to hear there’s an answer that makes sense.

    Sounds like someone from Cloudflare will need to have a convo with someone from infinitewp.com. According to wordpress.org, IWP have 400,000+ active installs and 1.9m downloads of the client.

    Someone needs to have a convo and change some code, methinks.

    And it’s entirely possible that some other plugin out there may also make use of php://input, and it just hasn’t been seen yet.

    I hope so, i would love the cloudflare plugin, but i am not willing to give up infinite wp for it. 🙁

    I’m more than willing to work with them to come up with a fix. I believe @furkan811 has already reached out as well.

    Hi Guys,

    Just wanted to update you – I’ve contacted @infinitewp on twitter to see if they’ll push a fix. With infinitewp specifically the problem code is line 97.

    global $HTTP_RAW_POST_DATA, $iwp_mmb_activities_log;
    		$HTTP_RAW_POST_DATA_LOCAL = NULL;
    		$HTTP_RAW_POST_DATA_LOCAL = file_get_contents('php://input');
    		if(empty($HTTP_RAW_POST_DATA_LOCAL)){
    			if (isset($HTTP_RAW_POST_DATA)) {
    				$HTTP_RAW_POST_DATA_LOCAL = $HTTP_RAW_POST_DATA;
    			}
    		}

    To ensure php://input can be read more than once an approach like this can be used:

    
    $stream = fopen('php://temp', 'w+');
    stream_copy_to_stream(fopen('php://input', 'r'), $stream);
    rewind($stream);
    
    echo("first: ". stream_get_contents($stream) . "\n");
    echo("second: ". file_get_contents('php://input') . "\n");
    

    Thanks for not giving up on us! 🙂

    Thread Starter Steve Cunningham

    (@synthman)

    Just a note of thanks and to confirm that version 3.0.5 now appears to be fully functional on all my sites that don’t use InfiniteWP. I had many of the other problems with earlier versions, but 3.0.5 seems to have nailed it.

    I know it ain’t done for every case. But thanks for the hard work; it is both admired and appreciated.

    Best,
    Steve C.

    Hi Steve,

    No Problem. We really appreciated your patience and willingness to debug these issues with us as we worked through them! Thank you for using Cloudflare!

    -John

    Your last post on this topic was nearly three weeks ago. Are there any updates on this?

    Thank you!

    Hi @burquidi,

    I’m in contact with InfiniteWP. The response from InfiniteWP:

    We are currently investigating potential fixes for this issue and I hope an update for IWP client plugin will be released by end of October.

    Once they’ve a fix I’ll post on this topic.

    Thanks

    Hi @synthman,@edgemarketing, @burquidi

    InfiniteWP has released a new version of their WordPress plugin. Downloading InfiniteWP- Client, Version 1.6.1.1 should fix the issue.

    Let me know if you have any questions.

    Thanks.

    I have Infinite WP – Client version 1.6.2beta2. Doesn’t work on that.:( That is a higher version, that update should be in there right?

    Maybe the update just hasn’t hit the wordpress plugin library yet.

Viewing 15 replies - 31 through 45 (of 64 total)
  • The topic ‘Invalid CSRF Token on 3.0.1’ is closed to new replies.