How to: Development: Error: Access Denied: Possible CSRF Attack¶
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
In the CS-Cart in most cases the issue with CSRF-attack appears because of the value of the
max_input_vars PHP directive on your server are . In this case server truncates the request and if the security_hash` parameter gets truncated, the error message appears.
Increasing the value of the
max_input_vars PHP directive to
10000 or more.
max_input_vars directive help to web application truncate the request. If the attacker, for example, will try to send significant requests to your web-application (CS-Cart) it can crash/error or take down your webserver (DoS attack).
By default, this directive is set to 1000 in PHP, which means that you cannot send more than a thousand form fields in one request. We provide 5000 by default to the CS-Cart projects (on own risk).
By design, a lot of CMS trim big queries to the smaller and make several synchronous requests for transferring the data. CS-Cart instead of this trying to make one big request. And this is the root cause of this error message.
As a conclusion, I want to say that increasing the
max_input_vars directive is a dangerous modification. And if you do changes for this directive to 10000 or 20000 or more, we recommend roll back them in the future.