Problem/Motivation

The changes made in issue https://www.drupal.org/project/drupal/issues/144538 do not work quite correctly.
When creating a logout link, the token parameter is always outdated. Even if it is changed from the default using $this->csrfToken->get('user/logout'), in $this->csrfToken->validate($request->query->get('token', '') , $path) we always get false because $seed = $this->sessionMetadata->getCsrfTokenSeed() constantly returns different values for every request ​​and at the time of checking the token from the link is already out of date. We always get a confirmation form to log out.

Steps to reproduce

Use the debugger to check for $seed values from CsrfAccessCheck->access (line 65) CsrfTokenGenerator->validate $seed from line 85 ​​on multiple page reloads. For example, it can be clicking the logout button on the main page.

Comments

pifagor created an issue. See original summary.

cilefen’s picture

cilefen commented

I don't understand whether this bug report is about Drupal Core unaltered or with custom code. If there is custom code, could you please share bug reproduction code?

Have you have called \Drupal\Core\Routing\UrlGeneratorInterface::generateFromRoute with user.logout to generate the link?

pifagor’s picture

pifagor
Location 🇺🇦 Rivne
commented

The custom code just preparing the link for logout.
"Have you have called \Drupal\Core\Routing\UrlGeneratorInterface::generateFromRoute with user.logout" - yes, but as I wrote before, the token is regenerated constantly, and despite using generateFromRoute, it is constantly out of date in csrfToken->validate.

cilefen’s picture

cilefen commented
Version: 10.3.x-dev » 11.x-dev
Issue tags: +Needs tests

I am moving this to the development branch in case there is a merge request.

Can you author a failing test for this?

catch’s picture

catch
he/him
Primary language English
commented

@pifagor in what kind of context is the link being rendered? This sounds like a render caching issue.

CSRF tokens are rendered via a placeholder/lazy builder

(see 

   $placeholder_render_array = [
          '#lazy_builder' => ['route_processor_csrf:renderPlaceholderCsrfToken', [$path]],
        ];

from RouteProcessorCsrf

However, if the placeholder rendering itself gets cached somehow, or is used in a different context like e-mail, then you end up with invalid CSRF links.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.