PunBB Forums - Unable to confirm security token

Re: Unable to confirm security token

2009-11-22T04:59:57Z

I'm getting this same error more frequently. Usually when I vote karma or sometimes replying to a post.
If I hit the back button and refresh, it usually works (but sucks when you get it after typing a reply to a post).

Re: Unable to confirm security token

2009-08-14T17:36:08Z

Hi,

had same problem. Use get_current_url 'fn_get_current_url_start' hook to fix it, the function is strange. It does retrieve current url by '$protocol.$_SERVER['HTTP_HOST'].$port.$_SERVER['REQUEST_URI'];' which just isn't this way in all cases.

Re: Unable to confirm security token

2009-06-15T14:53:45Z

tj111 wrote:

...I was unable to figure out how to successfully create csrf tokens for forms that exist outside of my punbb directory.

You need to add hidden value to your form:

Re: Unable to confirm security token

2009-06-12T16:48:57Z

tj111 wrote:

I agree it's not advisable, but I was unable to figure out how to successfully create csrf tokens for forms that exist outside of my punbb directory.

It wasn't intended as a criticism. I merely mentioned it so that people don't blindly apply that change above without realising that it has drawbacks.

Re: Unable to confirm security token

2009-06-12T14:34:21Z

I agree it's not advisable, but I was unable to figure out how to successfully create csrf tokens for forms that exist outside of my punbb directory.

Re: Unable to confirm security token

2009-06-09T19:19:09Z

tj111 wrote:

I too was having a similar issue after converting our CMS to use PunBB's login authentication system. The simple solution is to just define the constant FORUM_SKIP_CSRF_CONFIRM before including any PunBB code. It took some digging, but I found that check included in include/common.php before verifying the CSRF token.
define("FORUM_SKIP_CSRF_CONFIRM", 1);

Just a note for anyone who may read this thread. Doing as suggested above is most definitely not advisable.

Re: Unable to confirm security token

2009-06-09T18:02:43Z

I too was having a similar issue after converting our CMS to use PunBB's login authentication system. The simple solution is to just define the constant FORUM_SKIP_CSRF_CONFIRM before including any PunBB code. It took some digging, but I found that check included in include/common.php before verifying the CSRF token.

define("FORUM_SKIP_CSRF_CONFIRM", 1);

Re: Unable to confirm security token

2009-06-08T09:00:06Z

Wuu wrote:

Where i can get list of $forum_url ,or get rid off this annoying fing "Unable to confirm security token". Why the hell you really need it? Anyway $forum_url['login'] is for login form ,but i need for logout,post edit etcc..

$forum_url is defined in include/url//forum_urls.php

the security token is needed for csrf attacks, more info here: http://en.wikipedia.org/wiki/Cross-site_request_forgery

Unable to confirm security token

2009-06-08T08:51:42Z

$forum_page['redirect_url'] = WWW.'viewtopic/'.$id;
$forum_page['form_action'] = forum_link($forum_url['login']);
$forum_page['hidden_fields'] = array(
'form_sent' => '',
'forum_user' => '',
'redirect_url' => '',
'csrf_token' => ''
);

Where i can get list of $forum_url ,or get rid off this annoying fing "Unable to confirm security token". Why the hell you really need it? Anyway $forum_url['login'] is for login form ,but i need for logout,post edit etcc..