Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

Underscore in URL leads to invalid CSRF Token error with IE11

Hi guys, I was going to post a request for help regarding an issue were were having with Internet Explorer 11 and CSRF Token errors. However during writing the post we've actually been able to get to the bottom of the problem and thought it would be worth letting you know.

The issue we were having is that when we submitted the form at /scp/login.php using IE11 we would get a 400 error, however Chrome and Firefox behaved fine. There were lots of CSRF Token errors in the logs and we tried everything we could think of at the time to figure out what IE was doing differently. Turns out that it was caused by an underscore in the subdomain of our helpdesk URL, so support_team.ourdomain.co.uk would error but supportteam.ourdomain.co.uk was fine.

Why IE thows a fit and Chrome is fine with it is beyond us, but is osTicket ignoring certain characters when generating the CSRF tokens?

osTicket Version v1.9.12 (19292ad)
Web Server Software Apache/2.4.16 (Win64) OpenSSL/1.0.2d
MySQL Version 5.6.21
PHP Version 5.6.13

Cheers

Comments

  • Please see
    https://en.wikipedia.org/wiki/Hostname#Restrictions_on_valid_host_names

    section: Restrictions on valid host names

    The Internet standards (Requests for Comments) for protocols mandate that component hostname labels may contain only the ASCII letters 'a' through 'z' (in a case-insensitive manner), the digits '0' through '9', and the hyphen ('-'). The original specification of hostnames in RFC 952, mandated that labels could not start with a digit or with a hyphen, and must not end with a hyphen. However, a subsequent specification (RFC 1123) permitted hostname labels to start with digits. No other symbols, punctuation characters, or white space are permitted.

    While a hostname may not contain other characters, such as the underscore character (_), other DNS names may contain the underscore.[4] Systems such as DomainKeys and service records use the underscore as a means to assure that their special character is not confused with hostnames. For example, _http._sctp.www.example.com specifies a service pointer for an SCTP capable webserver host (www) in the domain example.com. Note that some applications (e.g. Microsoft Internet Explorer) won't work correctly if any part of the hostname contains an underscore character.[5]

Sign In or Register to comment.