CSRF login Issue

CSRF login Issue

Issue:

CSRF token mismatch during login.

Trace:

[07:01:21:901]|[10-05-2021]|[com.adventnet.servicedesk.authentication.internal.LoginUtil]|[INFO]|[69]: Invalid login CSRF token provided ::: sessionToken : null; cookieToken : 79928721-48fc-4f84-9236-e78667e7a846; paramToken : c7d8f99c-b34a-4233-bcec-b0990e73700e;|
[07:01:21:901]|[10-05-2021]|[SYSERR]|[INFO]|[69]: java.lang.NullPointerException|
[07:01:21:901]|[10-05-2021]|[SYSERR]|[INFO]|[69]: at com.adventnet.servicedesk.authentication.internal.LoginUtil.isCaptchaAuthEnabled(LoginUtil.java:539)|

Fix:

  1. For versions above 14303 there won't be any CSRF issue.
  2. For versions above 13008, upgrade to latest version or contact support for partial workaround of SD-106516
    1. If -Ddisable_login_page_csrf is present in run.sh, run.bat or wrapper.conf then need to remove the entire line (if it resembles the line as given in 'older workaround') in all files.
  3. For versions above 11308, upgrade to latest version to get fix for both  SD-106516 and SD-102314
    1. If not try the 'Older Workaround'
  4. For older versions, kindly upgrade to get all fixes, if not try the 'Older Workaround'


Fix for certain versions (14205 and 14700 only):

Please don't apply these fixes if you are on a different version
  1. Download the zip named csrf_<version>.zip from the attachments and unzip it.
  2. Place csrf_<version>.fjar in '<sdp>/fixes' folder 
  3. If the zip has Login.js file, then go to '<sdp>/webapps/ROOT/scripts'
    1. rename Login.js to Login.js.old (or move the file away to desktop or any safe location away from SDP)
    2. place the Login.js which was downloaded.
  4. Restart SDP service for the changes to take effect.
  5. To revert, undo the changes and restart SDP service.

Version
Jars/Scripts
To apply
14205
csrf_14205_v2.fjar
fjar 
14700
csrf_v3_14700.zip
fjar + script



Older Workaround (below 13008):

This workaround is only for versions below 13008. Do not try this if your version is 13008 or above. On the contrary, the following should be removed in versions above 13008.
  1. Add a new line in the conf/wrapper.conf:
      For example, if 43 is the last added line in wrapper.conf,
            wrapper.java.additional.43=-Djdk.http.auth.tunneling.disabledSchemes=
      We need to add a new line with number 44 like below:
            wrapper.java.additional.44=-Ddisable_login_page_csrf=true
  1. For starting via run.bat, search for 'tunneling' and add the following line next to the searched line in run.bat.
            set JAVA_OPTS=%JAVA_OPTS% -Ddisable_login_page_csrf=true
  1. For starting via run.sh, search for 'tunneling' and add the following line next to the searched line in run.sh.
            JAVA_OPTS="$JAVA_OPTS -Ddisable_login_page_csrf=true"
  1. Restart SDP service (or re-run app from run.bat/run.sh to apply the changes)


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                    • Related Articles

                    • How to apply fjar ?

                      Fjar file       Fjar file is a jar file that might contain fix / workaround for the issue or might have some debug traces which will be needed by the development team for debugging purpose.  How to apply ?       1. Download the .fjar file       2. ...

                    • SAML | Multiple Login URLs for SAML Response

                      Issue: Even if SDP can be accessed with multiple URLs like internal.servicedesk.com and external.servicedesk.com, the SAML response is always received at the same URL that is configured in Alias URL. Fix: The acs_url column in the SAMLSP table can be ...

                    • Login | CAPTCHA is not shown | Account is not locked even after multiple tries (SD-121377)

                      Issue: The account is not locked when account lockout is configured and wrong password is entered multiple times Resolution: This is noted as issue SD-121377 and fixed in 14830. Kindly upgrade your application to 14830 or above. Workaround: If you ...

                    • Bypass concurrent login verification during mobile authentication.

                      Scenario: When we have an active session in the web browser, we're unable to log in via mobile. Fix: We will skip the verification of concurrent login when the request is made through mobile. Resolution: The fix for the issue has been attached with ...

                    • Login | Customize Login page and add JS scripts

                      Customize Login Page Start by going to Advanced Portal Settings (or Application Settings under ESM Directory) and click on "Customize Now" under Login Page Customizaion Start editing the HTML content to suit your needs by adding style/css content, ...

                      Related Products