Cross Site Request Forgery (XSRF) Attack Detected

Question

I am currently running SugarCRM 7.9.4.0. I've been upgrading our server to migrate to 8.x. I have CentOS 6.10 x64, Apache HTTP 2.4, PHP 7.3, MySQL 5.7, Elasticsearch 6.5. Everything seems to function just fine on the user end, but when I try to run a diagnostic to check things, I get the error message in the title:

Cross Site Request Forgery (XSRF) Attack Detected
Form authentication failure (Administration -> DiagnosticRun). Contact your administrator.

I tried searching around for answers, and found this page discussing the topic vaguely:

https://support.sugarcrm.com/Knowledge_Base/Troubleshooting/Troubleshooting_Cross-Site_Forgery_Messages/index.html

I followed the guide to put my URL's name in the config_override.php. I still get this issue. I also received this error with other actions as well. I don't want to manually enter all these actions like the knowledge base offers. There's nothing in the SugarCRM log about this either. Anyone have any suggestions?

P.S. I never paid attention, but the URL is using the # hash method instead of an HTML 5 browser history management scheme. I'm not sure if it was like this prior. Maybe that has something to do with the hostname and XSRF error? What should I do about this if it is?

Thanks!

Conrad Brinker · Accepted Answer

Hi Conrad,

Why are you using PHP 7.3? I think the problem here is PHP version because Sugar 7.9/8.x is compatible with PHP 7.1. Please see below link for supported platforms.

http://support.sugarcrm.com/Resources/Supported_Platforms/Sugar_8.0.x_Supported_Platforms/

A few days ago, I accidentally switch the PHP version of my local server from 7.1 to 7.2 and start having similar XSRF and ZIP module (while uploading package via Module loader) problems. So I believe changing the PHP version to the compatible one will resolve your issues.

Regards,

Junaid Usman