"Security error occurred" dialog when IP address changes

[ivp]

Affected version

2.2.12

I'm filing this bug as agreed with Jon from XenForo support.

Steps to reproduce on mobile phones (iPhone 13 and Redmi 9 having Android 11), when not connected to cable ISP, but to the mobile operator network:

• Login to Forum
• Write a message
• Switch to some other app (leaving the browser)
• More than 4 hours passes (user session limit)
• Open email app
• Got notification from Forum about a new message in the forum topic, click the link to visit it
• The corresponding page of the Forum opens (seeing that you are no longer logged in)
• "Security error occurred. Please press back, refresh the page, and try again" dialog appears.
• After refreshing the page, the same message pops up again
• Any subsequent page you visit - the same message keeps popping up
• The only solution to stop seeing the error is to log in to the Forum again

I understand that IP change triggers such error on a session and that might be the cause of this.

When using mobile networks (and majority of users do), IP addresses tend to change pretty quickly and there is nothing we can do about that.

This issue happens less with $config['enableLoginCsrf'] = false;, but using this is not the solution.

Also "Security error occurred. Please press back, refresh the page, and try again." dialog is a horrible user experience. It looks like there is some security incident on the forum. Even if we change the wording, it is still bad user experience.

If we need to trigger this error, my suggestion is to force invalidating session and refreshing the page automatically, without displaying any dialog.

 

[Chris D]

At this point, all I can say, is there seems to be more at play here than expected.

I do experience this to an extent under similar circumstances, but it displays differently.

• User (me) never appears logged out
• Security error only appears when performing an AJAX request
• Doing a normal navigation away from the page (such as clicking a thread/forum, or the logo or some other link on the page) resolves the issue.

The security error thing is only supposed to happen if the CSRF token fails to validate. But that, as I imply above, is only when an AJAX request is performed.

This very likely means you have add-ons or some other customisations at play here which is triggering an AJAX request on every page.

There is definitely a valid, underlying issue. Specifically the CSRF token is invalid after a period of inactivity. But it shouldn't be nagging you nor should it be making you appear logged out.

 

[ivp]

Not aware of add-ons making AJAX requests, nor seeing strange requests. Any way to troubleshoot this?

Also noticed that this issue is happening more often after started using Cloudflare.

Does it make sense to add some debugging code to log this error and provide more details?

Please find below excerpt from the log file right when dialog appeared (using the same IP address for all requests and user agent "Mozilla/5.0 (Linux; Android 12; M2102J20SG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Atom/1.6.1.0 Mobile Safari/537.36"):

[10:20:26] "GET /threads/(removed part) HTTP/2.0" 200 46665
[10:56:37] "POST /login/keep-alive HTTP/2.0" 200 187
[10:56:40] "GET /whats-new/posts/ HTTP/2.0" 303 0
[10:56:40] "GET /whats-new/posts/1555180/ HTTP/2.0" 200 28925
[10:56:42] "GET /account/alerts-popup?_xfRequestUri=%2Fwhats-new%2Fposts%2F1555180%2F&_xfWithData=1&_xfToken=1675677400%2C(removed part)&_xfResponseType=json&_=1675677569870 HTTP/2.0" 200 5407

 

[Chris D]

Which add-ons do you have installed?

Having the browser console open may help debug the issue. Particularly the network tab or the console tab. Both should list requests, particularly failed requests, and that might shed some light as to the specific request causing it.

 

[ivp]

Have a bunch of installed add-ons, mostly from Xon. Could send a complete list to support or via conversation if necessary.

I managed to reproduce this issue on mobile phone only. Don't see odd requests in browser console on the desktop.

Logs shown in my previous message are also from mobile phone and do not snow anything strange, but "/login/keep-alive" that might be that AJAX request you are talking about? Note that PWA is enabled, not sure is this related.

 

[jb-net]

My users also have this problem in my Forum (also running XF 2.2.12). It happens when using the Forum on a Smartphone. With the help of my users and my logfiles I see it happening if they already have the forum open in a tab from previous visits and their IP address changes -> which seems to trigger a change in the CSRF token. If they then tab on the Alerts Icon (in the previous opened tab) the error message appears.

 

[ivp]

Instead of displaying "Security error occurred. Please press back, refresh the page, and try again." dialog, is it possible to invalidate session and/or refresh the page automatically?

 

[HybridBoy]

i have same error , any fix to this?

"Security error occurred. Please press back, refresh the page, and try again."

 

[digitalpoint]

FWIW, even if you aren't using PWA, my PWA addon makes a change that should solve it. It was done to solve stale CSRF tokens when you load the PWA app, but it works on normal browsers too (not just PWA). Doesn't solve the issue of being logged out that the OP had, but the problems related to stale CSRF tokens, yes.

Use Sec-Fetch-Site header as replacement for CSRF with a fallback to CSRF if browser doesn't support Sec-Fetch-Site (prevent stale sessions from causing security error message)