Strange CSRF behaviour with CSRF / double session

Hi all,

The next situation might sound a bit strange but we are facing the following problem:
We created a bundle (with the console generator) and added our controllers and views inside them.
The bundle works like a charm on all places but when we try to login in pimcore (/admin) we get a csrf-token mismatch.

The bundle does nothing with a session. We also made the pimcore bundle a symfony bundle and enabled it in appKernel.php --> same result.

When we disable the bundle everything is working fine again. 20 hours debugging later and still experience the same CSRF problem.

When we look inside the session files we see the when we acces /admin there are2 or 3 sess_ files created, 1 wiith the correct csrf-token inside it and the other files are empty.

The one that resolve this issue will be rewarded!

I can’t add the bundle as an attachment but I can send it to you if needed.

Thanks in advance, Koert

Seems very strange.Which pimcore version are you using?
Kindly share the bundle if you can…

Hi! We are using pimcore 6.4.2 and php 7.3.12
I shared the bundle here:

Thanks in advance!

Your bundle has some dependency on AppBundle.
//use AppBundle\Controller\BaseController;
//use AppBundle\Service\NewsService;

I removed the dependency and enabled the plugin but i didn’t get any error.I am using latest pimcore instance.

Yes all that dependencies are also working correct. I minimised the code so that not everything is inside the bundle

Can you share the dependencies? As for me there is no error…

Everything of the website is working correct. The only thing that we experience is CSRF token mismatching in /admin

We have 8 years of pimcore experience but never had these strange issues

That’s strange. I also never had this issue … nor I am able to reproduce this by enabling your bundle…

It is weird issue with Pimcore, I sometimes get it from time to time as well… I am still not sure why, but they don’t do do the CSRF check right…

But we experience it when we enable the bundle. I can’t figure out what the bundle is doing wrong. We don’t even use frontend sessions (yet). We have it 99 out of 100 login attempts…

We fixed it! The reason was that we pointed to a non-existing image on the customized login page. This resulted in a async request to /admin which started a new session in the background.

So if anyone else encounters this issue - check your network-tab to see if you’re not accidentally loading the page more then once (in the background).

Thank you all for your help. Was a hard one. The fix usually is simple once you know where to look. :slight_smile:

1 Like

awesome, that is good to know. I am having the same issue with a customer project right now. I can imagine it has todo with the custom logo you can configure.

1 Like

Indeed. If the image (or any other resource) isn’t loading from the /admin url it is most likely the case. Check your network-tab to see if in one request the /admin page is loaded more than once.

I used xdebug - that might help give you insights. Found out that in one request the code was executed multiple times by setting a breakpoint on start_session().

Good luck! And again tnx to you, @neha for diving into this with us. High five for @Koert, my colleague for finding the solution with me.

Issue closed. On to the next :wink: