Cacti (home)ForumsDocumentation
Cacti: offical forums and support
It is currently Tue Apr 23, 2019 5:17 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: Message CSRF Timeout occurred due to inactivity, page refres
PostPosted: Fri Apr 05, 2019 2:36 am 
Offline

Joined: Thu Apr 04, 2019 9:40 am
Posts: 7
Hi again,
I have a php 7 page that points to my cacti page and insert username and password automatically

$this->arr_graph_detail = array(
'graph_url'=>'https://mycacti/'.$this->SW_folder.'/' . $this->graphs_type . '/',
'graph_user'=>'user', // Username di accesso
'graph_pass'=>'password' // Password di accesso
);

When I execute this php the automatic logon fails with this message.

It worked fine with older versions
Any idea?
Thnks


Attachments:
Schermata 2019-04-05 alle 09.32.14.png
Schermata 2019-04-05 alle 09.32.14.png [ 85.13 KiB | Viewed 89 times ]
Top
 Profile  
 
 Post subject: Re: Message CSRF Timeout occurred due to inactivity, page re
PostPosted: Fri Apr 05, 2019 3:05 am 
Offline

Joined: Thu Apr 04, 2019 9:40 am
Posts: 7
not solved...


Top
 Profile  
 
 Post subject: Re: Message CSRF Timeout occurred due to inactivity, page re
PostPosted: Fri Apr 05, 2019 11:18 am 
Offline
Cacti Guru User

Joined: Sun Aug 27, 2017 12:05 am
Posts: 2397
All incoming POST requests are checked to make sure that there is a CSRF value for the login, which you don't/won't have when your submitting. However, as your code below isn't complete, I can't be sure what you are doing or which page you are doing it against to be sure.

If you want a method of being able to automatically login to Cacti securely, check out my tokenauth plugin (https://github.com/netniv/plugin_tokenauth/) which I wrote as an example of how to do this kind of thing.

_________________
Official Cacti Developer

Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation

My resources:
How to submit Pull Requests
Development Wiki and How To's
Updated NetSNMP Memory template for Cacti 1.x
Cisco SFP template for Cacti 0.8.8


Top
 Profile  
 
 Post subject: Re: Message CSRF Timeout occurred due to inactivity, page re
PostPosted: Sat Apr 06, 2019 10:11 am 
Offline

Joined: Thu Apr 04, 2019 9:40 am
Posts: 7
I explain me better with an example.

A customer would like to have all the monitoring services together in a single php page.

With the plugin graphs export I can store the png graphs files into one path and after that I can show
this main graphs in this page.

Example:
Customer PizzaMandolino'=>array(
'nomerouter'=>array(
array(
'graph_title'=>'PizzaMandolino - Gbit 0/0/1 - Link COLT 1Gbit',
'image_url'=>'graph_1315_45.png'
),

Then I add a button "Graphs details" that open cacti with the account of the customer
entering user and password automatically as if the customer had to make the logon manually


$this->arr_graph_detail = array(
'graph_url'=>'https://newcacti/'.$this->SW_folder.'/' . $this->graphs_type . '/',
'graph_user'=>'PizzaMandolino',
'graph_pass'=>'Mustache' // Password

With the old cacti version this was possible.

Is there a way to disable CSRF check in the logon process?

Thank you very much


Attachments:
Schermata 2019-04-06 alle 16.50.44.png
Schermata 2019-04-06 alle 16.50.44.png [ 162.87 KiB | Viewed 75 times ]
Top
 Profile  
 
 Post subject: Re: Message CSRF Timeout occurred due to inactivity, page re
PostPosted: Sat Apr 06, 2019 4:42 pm 
Offline
Cacti Guru User

Joined: Sun Aug 27, 2017 12:05 am
Posts: 2397
As I said, if you use the token_auth plugin I wrote, you can pass a token that is randomly generated and valid for a short period of time. That then allows the user in automatically from your other system via a GET request. There is no way to post directly without CSRF checks being in-place.

_________________
Official Cacti Developer

Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation

My resources:
How to submit Pull Requests
Development Wiki and How To's
Updated NetSNMP Memory template for Cacti 1.x
Cisco SFP template for Cacti 0.8.8


Top
 Profile  
 
 Post subject: Re: Message CSRF Timeout occurred due to inactivity, page re
PostPosted: Tue Apr 09, 2019 6:40 am 
Offline

Joined: Thu Apr 04, 2019 9:40 am
Posts: 7
SOLVED
seems that the problem was solved setting to true the following variable:


#$GLOBALS['csrf']['defer'] = false;
$GLOBALS['csrf']['defer'] = true;

in the file .../include/vendor/csrf/csrf-magic.php


Now I can pass user and password in POST mode and log in automatically.


Thank you
Regards


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group