osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now
Underscore in URL leads to invalid CSRF Token error with IE11
Hi guys, I was going to post a request for help regarding an issue were were having with Internet Explorer 11 and CSRF Token errors. However during writing the post we've actually been able to get to the bottom of the problem and thought it would be worth letting you know.
The issue we were having is that when we submitted the form at /scp/login.php using IE11 we would get a 400 error, however Chrome and Firefox behaved fine. There were lots of CSRF Token errors in the logs and we tried everything we could think of at the time to figure out what IE was doing differently. Turns out that it was caused by an underscore in the subdomain of our helpdesk URL, so support_team.ourdomain.co.uk would error but supportteam.ourdomain.co.uk was fine.
Why IE thows a fit and Chrome is fine with it is beyond us, but is osTicket ignoring certain characters when generating the CSRF tokens?
osTicket Version v1.9.12 (19292ad)
Web Server Software Apache/2.4.16 (Win64) OpenSSL/1.0.2d
MySQL Version 5.6.21
PHP Version 5.6.13