How to: Development: Error: Access Denied: Possible CSRF Attack

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Impact

In the CS-Cart in most cases the issue with CSRF-attack appears because of the value of the max_input_vars PHP directive on your server are . In this case server truncates the request and if the security_hash` parameter gets truncated, the error message appears.

Solutions

Solution 1

Increasing the value of the max_input_vars PHP directive to 10000 or more.

Solution 2

This is very bad way, but you can disable tweak anti_csrf at the config.local.php file. It will looks like on this screenshot.

Accident risk

max_input_vars directive help to web application truncate the request. If the attacker, for example, will try to send significant requests to your web-application (CS-Cart) it can crash/error or take down your webserver (DoS attack).

By default, this directive is set to 1000 in PHP, which means that you cannot send more than a thousand form fields in one request. We provide 5000 by default to the CS-Cart projects (on own risk).

By design, a lot of CMS trim big queries to the smaller and make several synchronous requests for transferring the data. CS-Cart instead of this trying to make one big request. And this is the root cause of this error message.

Conclusion

As a conclusion, I want to say that increasing the max_input_vars directive is a dangerous modification. And if you do changes for this directive to 10000 or 20000 or more, we recommend roll back them in the future.


---
If you have a problem, need assistance with tweaks or a free consultation, if you just want to discuss your project with experts and estimate the outcome, if you're looking for a solution that reinforces your online business, we will help. Email us.