Message CSRF Timeout occurred due to inactivity, page refres

Addons for Cacti and discussion about those addons

Moderators: Moderators, Developers

Post Reply
Author
Message
nello12
Posts: 9
Joined: Thu Apr 04, 2019 9:40 am

Message CSRF Timeout occurred due to inactivity, page refres

#1 Post by nello12 » Fri Apr 05, 2019 2:36 am

Hi again,
I have a php 7 page that points to my cacti page and insert username and password automatically

$this->arr_graph_detail = array(
'graph_url'=>'https://mycacti/'.$this->SW_folder.'/' . $this->graphs_type . '/',
'graph_user'=>'user', // Username di accesso
'graph_pass'=>'password' // Password di accesso
);

When I execute this php the automatic logon fails with this message.

It worked fine with older versions
Any idea?
Thnks
Attachments
Schermata 2019-04-05 alle 09.32.14.png
Schermata 2019-04-05 alle 09.32.14.png (85.13 KiB) Viewed 413 times

nello12
Posts: 9
Joined: Thu Apr 04, 2019 9:40 am

Re: Message CSRF Timeout occurred due to inactivity, page re

#2 Post by nello12 » Fri Apr 05, 2019 3:05 am

not solved...

netniV
Cacti Guru User
Posts: 2884
Joined: Sun Aug 27, 2017 12:05 am

Re: Message CSRF Timeout occurred due to inactivity, page re

#3 Post by netniV » Fri Apr 05, 2019 11:18 am

All incoming POST requests are checked to make sure that there is a CSRF value for the login, which you don't/won't have when your submitting. However, as your code below isn't complete, I can't be sure what you are doing or which page you are doing it against to be sure.

If you want a method of being able to automatically login to Cacti securely, check out my tokenauth plugin (https://github.com/netniv/plugin_tokenauth/) which I wrote as an example of how to do this kind of thing.

nello12
Posts: 9
Joined: Thu Apr 04, 2019 9:40 am

Re: Message CSRF Timeout occurred due to inactivity, page re

#4 Post by nello12 » Sat Apr 06, 2019 10:11 am

I explain me better with an example.

A customer would like to have all the monitoring services together in a single php page.

With the plugin graphs export I can store the png graphs files into one path and after that I can show
this main graphs in this page.

Example:
Customer PizzaMandolino'=>array(
'nomerouter'=>array(
array(
'graph_title'=>'PizzaMandolino - Gbit 0/0/1 - Link COLT 1Gbit',
'image_url'=>'graph_1315_45.png'
),

Then I add a button "Graphs details" that open cacti with the account of the customer
entering user and password automatically as if the customer had to make the logon manually


$this->arr_graph_detail = array(
'graph_url'=>'https://newcacti/'.$this->SW_folder.'/' . $this->graphs_type . '/',
'graph_user'=>'PizzaMandolino',
'graph_pass'=>'Mustache' // Password

With the old cacti version this was possible.

Is there a way to disable CSRF check in the logon process?

Thank you very much
Attachments
Schermata 2019-04-06 alle 16.50.44.png
Schermata 2019-04-06 alle 16.50.44.png (162.87 KiB) Viewed 399 times

netniV
Cacti Guru User
Posts: 2884
Joined: Sun Aug 27, 2017 12:05 am

Re: Message CSRF Timeout occurred due to inactivity, page re

#5 Post by netniV » Sat Apr 06, 2019 4:42 pm

As I said, if you use the token_auth plugin I wrote, you can pass a token that is randomly generated and valid for a short period of time. That then allows the user in automatically from your other system via a GET request. There is no way to post directly without CSRF checks being in-place.

nello12
Posts: 9
Joined: Thu Apr 04, 2019 9:40 am

Re: Message CSRF Timeout occurred due to inactivity, page re

#6 Post by nello12 » Tue Apr 09, 2019 6:40 am

SOLVED
seems that the problem was solved setting to true the following variable:


#$GLOBALS['csrf']['defer'] = false;
$GLOBALS['csrf']['defer'] = true;

in the file .../include/vendor/csrf/csrf-magic.php


Now I can pass user and password in POST mode and log in automatically.


Thank you
Regards

Post Reply