Support

Admin Tools

#31533 AdminTools is blocking HikaShop Checkout only on Mobile/Smartphone

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Monday, 15 July 2019 05:04 CDT

deeno
Dear Nicholas,

we just went live with a new website of a client, and I just noticed that if I place an order via HikaShop on my mobile phone (Android) I get an error: 403 - This request is blocked by Admin Tools ... etc. and if I check the backend, I see in the "Security Exceptions Log" a CSRF Shield exception for .../checkout/task-step/step-2 (which is the page after entering the address information). Any idea what can cause this? On my desktop/notebook (same IP/internet connection) all works fine...

Any help is much appreciated!

Best regards/Με εκτΞ―μηση

Konstantinos

nicholas
Akeeba Staff
Manager
ΚαλημΞ­ρα ΚωνσταντΞ―νε,

Based on what you describe either HikaShop is doing something wrong or the mobile web browsers do something they shouldn't.

Please go to Components, Admin Tools, Web Application Firewall, Configure WAF, Request Filtering and check the "CSRF/Anti-spam form protection (CSRFShield)" setting.

If it was set to Basic then the problem is that HikaShop does not include an anti-spam CSRF token in the checkout page. Not including a CSRF token in a form is all shorts of wrong. A form lacking a CSRF token can be used to trick users or, more simply, allow a bot to very quickly overwhelm your site with fake orders. I would report that as a medium level bug to the developer. In the meantime set this to No to prevent this issue from occurring during mobile checkout.

If it was set to Advanced the problem is with the mobile browsers. The "Advanced" setting includes a hidden text field in the form with an unintelligible name. If this field is not empty when the form is submitted we block the request. The idea is that the field is hidden i.e. a human cannot see and fill it in. Only a bot would try to fill it in. Some browsers' form detection may try to fill it in with unrelated information they think should be part of a checkout form, causing the problem. In this case there's nothing you can do except set the CSRF protection setting to Basic or No.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

deeno
Thank you for the prompt reply.
As it turns out the problem was the mobile browser (chrome on android).
I filled out the form not using auto-fill and it worked.
I changed the setting from "Advanced" to "Basic".
Ευχαριστώ,
με εκτΞ―μηση,
ΚωνσταντΞ―νος

nicholas
Akeeba Staff
Manager
You're welcome :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!