I’m running a Yii2 (2.0.38) application on Microsoft Azure and seem to be getting a lot of :
[error][yii\web\HttpException:400] yii\web\BadRequestHttpException: Unable to verify your data submission. in D:\home\site\vendor\yiisoft\yii2\web\Controller.php:202
#0 D:\home\site\vendor\mdmsoft\yii2-admin\controllers\UserController.php(51): yii\web\Controller->beforeAction(Object(yii\base\InlineAction))
#1 D:\home\site\vendor\yiisoft\yii2\base\Controller.php(178): mdm\admin\controllers\UserController->beforeAction(Object(yii\base\InlineAction))
#2 D:\home\site\vendor\yiisoft\yii2\base\Module.php(528): yii\base\Controller->runAction(‘login’, Array)
#3 D:\home\site\vendor\yiisoft\yii2\web\Application.php(103): yii\base\Module->runAction(‘admin/user/logi…’, Array)
#4 D:\home\site\vendor\yiisoft\yii2\base\Application.php(386): yii\web\Application->handleRequest(Object(yii\web\Request))
#5 D:\home\site\wwwroot\admin\index.php(17): yii\base\Application->run()
errors. How can I go about troubleshooting this? Normally I find the culprit in the stack trace, but I’ll admit in this case, I don’t know what to do.
I have some problems with this and running on AWS.
My diagnosis is that this problem usually occurs to users who start to fill a form and let it unfinished opened for a long period of time (15min+) or some users with very slow internet.
I don’t think it is a Yii2-specific issue though, but don’t now how to tackle it and would be great to hear from others.
This is likely to do with CSRF Protection.
In order to prevent CSRF attacks all POST request must include a valid CSRF Token. if this token is not present or can not be verified, Yii will abort the request with the that error.
I don’t know exactly how long the tokens are valid but if users are waiting 15+ minutes before submitting a form, the most likely cause is expired tokens.
There are many possible causes of this issue, such as:
session expired - normally after 20 minutes each PHP session expires, so any submitted CSRF token will be invalid
you have many tabs open in a browser for the same site/page - if you do one request in first tab, POST form submitted in a seconds tab will submit already invalid CSRF token
missing CSRF parameters in ajax request - these must be injected by you, it is not done automatically by framework unless you render ActiveForm - e.g. see solution here.