Yii2: Unable to verify your data submission since updated to 2.0.14

Did you follow this? http://www.yiiframework.com/doc-2.0/guide-security-best-practices.html#avoiding-csrf

@frontbear the link is about disabling csrf, which I followed to disable csrf and am able to submit the form. However I don't want to do that for security reason.

If downgrade back to 2.0.13 forms can be submitted. It's when updated to 2.0.14+ it forms can't be submitted and gets 'Unable to verify your data submission' error.

its similiar to bug that i encounter, maybe related?

@rosancoderian I had a look at your issue and it seems to related to performance. I've been upgrading Yii fairly regularly and haven't noticed any performance issues. My only issue with the latest release is unable to submit forms.

Failed to reproduce. Please, supply more info, including request component config and action source code

Thanks for posting in our issue tracker.
In order to properly assist you, we need additional information:

• When does the issue occur?
• What do you see?
• What was the expected result?
• Can you supply us with a stacktrace? (optional)
• Do you have exact code to reproduce it? Maybe a PHPUnit tests that fails? (optional)

Thanks!

_This is an automated comment, triggered by adding the label status:need more info._

@SilverFire, thanks for looking into this. I'd say this is not easily reproduced as it works in 2.0.13 but not 2.0.14+. Here are info as per request. Please let me know if you need any more info.

In frontend/config/main.php:

'components' => [
        'request' => [
            'csrfParam' => 'csrf-frontend',
        ],
        'session' => [
            'name' => 'xxx-frontend',
        ],
],

As mentioned in original ticket it happens to all actions handling post data. Here's one that saves a record:

public function actionUpdate($id)
    {
        $model = $this->findModel($id);

        if ($model->load(Yii::$app->request->post())) {

            if ($model->save()) {
                return $this->redirect(['index']);
            }
        }
        return $this->render('update', ['model' => $model]);
    }

Could you try to reproduce it on basic app template?

I have the same issue since I have upgraded to 2.0.14.1 from 2.0.13. It happens rarely but for loaded project it is significant amount of bad requests apeared

Could you check if this is related to output created by echos instead of returning the content/data of the controller? Ie. during AJAX validation.

Possibly related: https://github.com/yiisoft/yii2/issues/15782

I can't reproduce it on my local developer machine. It is happened rarely on production. I'll keep trying to find

The problem with "remember me". Commit with breaking changes is 6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7

Steps to reproduce:
1) Login with default yii2 auth functionality
2) Load a page with any AJAX post request
3) Remove cookie PHPSESSID
4) Submit post request

Problem because of regenerating csrf token while restoring session from "remember me" token.

@sartor yes, that seems valid but I'm not sure how to solve that since not regenerating causes possible security issues.

May be it is possible to not regenerate session if it is recovered from "remember me" token? Is it a security breach?

Possibly not. Need to review it in detail.

My issue isn't related to just AJAX. It's any post - AJAX, form or even via links.

Thanks @sartor who mentioned 'remember me'. I stepped through my user model (which extends \yii\webUser). I resolved by extending login function:

public function login(yii\web\IdentityInterface$identity, $duration = 3600) {
        return parent::login($identity, $duration);
    }

Simply set $duration to any value > 0 and post now works.

This is probably not the correct solution but it resolves my issue.

I'm also seeing a higher than normal amount of "yii\webBadRequestHttpException: Unable to verify your data submission" errors today after upgrading to 2.0.14.1. Is there anything I can provide that might help you dig into this?

If it helps, I'm using the advanced template, each app with their own CSFR token.

'components' => [
        'request' => [
            'csrfParam' => '_publisher_csrf',
            'baseUrl' => '/publisher',
        ],

I subscribe to this, upgrading to latest version simply had me disable csrf token validation because of the high number of errors(Unable to verify your data submission) i get when submitting the forms.
There is def. something wrong.

The problem is well described in https://github.com/yiisoft/yii2/issues/15783#issuecomment-368964002

Verified that not regenerating token when prolonging via "remember me" cookie is OK security-wise.

I'm having this problem in a form which has a field decorated with a Select2 widget that performs an ajax to search and retrieve the select options through a webservice in the same app. It seems that the ajax response updates the CSRF cookie, but not the CSRF param of meta tag neither the CSRF hidden input. So that when I submit the form through a normal POST the CSRF validation fails because the CSRF state has changed since the page was rendered.

I tried to manually update the CSRF using Yii client API (yii.setCsrfToken()), but it didn't work.

Do you know any workaround to such case?

Take a look at this article https://segmentfault.com/q/1010000004450797

@xutl I can't reach it.

\yii\webUser\login regenerateCsrfToken(). Since 2.0.14.2

@feiyangzhang I'm having this issue on 2.0.16.
So i better always call regenerateCsrfToken() just before showing the login forms ?