• Registered: 2009-05-24
  • Posts: 3

Topic: non-punbb feedback form ask for CSRF

Hello,

I hope someone can shine a light on this issue.

My issue is not during login but my site has an integrated login (all page includes punbb common.php and a login form).

I have a simple contact (feedback) form on a non-punbb page on my site. the submit post action is set to reload the contact page. But when it reloads, I am redirected to punbb page requesting a confirm action (security token confirm page).

Does anyone know what might causes this?

Thank you very much

  • Registered: 2009-05-24
  • Posts: 3

Re: non-punbb feedback form ask for CSRF

Well I figured that I need to issue a security token on any form now that common.php is included everywhere. I was doing that but because of clean urls I needed to give generate_form_token() the full url like

"http://www.website.com/index.php?section=contact" instead of "http://www.website.com/contact".

  • Slavok
  • PunBB Developer
  • Offline
  • From: Russia
  • Registered: 2008-06-11
  • Posts: 1,238

Re: non-punbb feedback form ask for CSRF

You need to generate a csrf token in your contact form to skip its validation. Add this to your form:

<input type="hidden" name="csrf_token" value="<?php echo generate_form_token('http://www.website.com/index.php?section=contact'); ?>" />

Does it work?

Slavok's Website

  • Registered: 2009-05-24
  • Posts: 3

Re: non-punbb feedback form ask for CSRF

Slavok wrote:

You need to generate a csrf token in your contact form to skip its validation. Add this to your form:

<input type="hidden" name="csrf_token" value="<?php echo generate_form_token('http://www.website.com/index.php?section=contact'); ?>" />

Does it work?


yes it works. It was not clear to me at first that I needed to add that token to forms that are not related to the forums. And then when I added that line I used the clean url version instead of the index.php string...

Thank you.