CSRF login Issue

CSRF login Issue

Issue:

CSRF token mismatch during login.

Trace:

[07:01:21:901]|[10-05-2021]|[com.adventnet.servicedesk.authentication.internal.LoginUtil]|[INFO]|[69]: Invalid login CSRF token provided ::: sessionToken : null; cookieToken : 79928721-48fc-4f84-9236-e78667e7a846; paramToken : c7d8f99c-b34a-4233-bcec-b0990e73700e;|
[07:01:21:901]|[10-05-2021]|[SYSERR]|[INFO]|[69]: java.lang.NullPointerException|
[07:01:21:901]|[10-05-2021]|[SYSERR]|[INFO]|[69]: at com.adventnet.servicedesk.authentication.internal.LoginUtil.isCaptchaAuthEnabled(LoginUtil.java:539)|

Fix:

  1. For versions above 14303 there won't be any CSRF issue.
  2. For versions above 13008, upgrade to latest version or contact support for partial workaround of SD-106516
    1. If -Ddisable_login_page_csrf is present in run.sh, run.bat or wrapper.conf then need to remove the entire line (if it resembles the line as given in 'older workaround') in all files.
  3. For versions above 11308, upgrade to latest version to get fix for both  SD-106516 and SD-102314
    1. If not try the 'Older Workaround'
  4. For older versions, kindly upgrade to get all fixes, if not try the 'Older Workaround'

This workaround is only for versions below 13008. Do not try this if your version is 13008 or above. On the contrary, the following should be removed in versions above 13008.
  1. Add a new line in the conf/wrapper.conf:
      For example, if 43 is the last added line in wrapper.conf,
            wrapper.java.additional.43=-Djdk.http.auth.tunneling.disabledSchemes=
      We need to add a new line with number 44 like below:
            wrapper.java.additional.44=-Ddisable_login_page_csrf=true
  1. For starting via run.bat, search for 'tunneling' and add the following line next to the searched line in run.bat.

            set JAVA_OPTS=%JAVA_OPTS% -Ddisable_login_page_csrf=true
  1. For starting via run.sh, search for 'tunneling' and add the following line next to the searched line in run.sh.
            JAVA_OPTS="$JAVA_OPTS -Ddisable_login_page_csrf=true"
  1. Restart SDP service (or re-run app from run.bat/run.sh to apply the changes)


Fix for certain versions:

Please don't apply these fixes if you are on a diffrent version
  1. Download the zip named csrf_<version>.zip from the attachments and unzip it.
  2. Place csrf_<version>.fjar in '<sdp>/fixes' folder 
  3. If the zip has Login.js file, then go to '<sdp>/webapps/ROOT/scripts'
    1. rename Login.js to Login.js.old (or move the file away to desktop or any safe location away from SDP)
    2. place the Login.js which was downloaded.
  4. Restart SDP service for the changes to take effect.
  5. To revert, undo the changes and restart SDP service.



        New to ADManager Plus?

          New to ADSelfService Plus?

            • Related Articles

            • SAML | Multiple Login URLs for SAML Response

              Issue: Even if SDP can be accessed with multiple URLs like internal.servicedesk.com and external.servicedesk.com, the SAML response is always received at the same URL that is configured in Alias URL. Fix: The acs_url column in the SAMLSP table can be ...
            • Login frequency

              This report is used to find the Technician and Requester Login frequency. SELECT AaaUser.FIRST_NAME "Technician", MAX(AaaLogin.NAME) "LoginName", MAX(AaaContactInfo.EMAILID) "Email", MAX(AaaAccSession.USER_HOST) "IP Address", ...
            • Customized Login form

              The following steps can performed to customise the default login page with a different image background. 1. Save a new page as Custom.HTML under [ManageEngine\ServiceDesk\Custom\Login]. This will return a totally blank login page with only the login ...
            • Query to Pull out Login Hours

              Purpose        To generate the Total Login Hours per Technician.  Query : select ai as "Account ID", tn as "Technician Name ( First Name )", lh as "Login hours", LONGTODATE(llt) as "Last Login Time", ln as "Login Name", domain as "Domain", email as ...
            • Query to Pull out Login and LogOut History and to Find User Status

              Purpose        To generate the report which contains  Login and LogOut History of the users and to find out the user status currently. Query 1  Below query provides the users login and logout history of the users. SELECT au.first_name as ...