Support

Admin Tools

#33147 Lastpass causes problems with WAF -> Advanced CSRFShield

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by Nikon on Saturday, 06 June 2020 03:28 CDT

Wednesday, 03 June 2020 08:21 CDT

Nikon
Hello there

We've had some problems with mobie phone users not being able to log in to the page.
I finally found out what the problem is.
It seems to be the CSRF filter and lastpass.
When using lastpass on the mobile phone, it pops up a request to choose a username/password from the site.
This apparently makes the CSRF set in Advanced mode get quite angry, and send you to the blocked page.
If I set it to Basic, it allows me to log in without issues.
The login box is from Community Builder.
Can I do something better than just setting it to basic mode, some sort of exception for this?

Wednesday, 03 June 2020 09:56 CDT

tampe125
Hello,

when using the Advanced mode, we inject a text field hidden in the form. Usually bots will try to fill every field they found, so if Admin Tools finds such field filled with any value, it will block the request.
I suspect LastPass is aggressively filling the wrong field, leading to the block. At this point the only solution is to use CSRF set to Basic, since the issue is triggered from something that is out of our (you and us) control.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 06 June 2020 03:28 CDT

Nikon
Ok, yes, that makes sense, it would try to put something in that I guess.
I've actually had to remove the CSRF completely, as it also locked me out of the backend with it set to basic.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!