Topic: Logout token problem

Ok...

I held my tongue because I thought it was my site doing it. But doing testing here on punbb I have found that it has the same problem. Plus I run another site.. read below. Work intranet site.

I have to click log out 5 times to logout of my site/this site/any site.
The fault I think is to do with the token.

I havent checked but im guessing the token is created via the IP address and AS im at work behind a proxy my ip address changes so often that the token does not match up with my changed ip address. Fair enough the token is a fix... but this must be a bug. I would not mind clicking twice to log out, but seriously 5 clicks.

I use PunBB for an intranet site I created for my work. When I updated to 1.2.17 I have been getting mails daily expressing issues with logging out. My work intranet is meant to be secure and people are meant to log out of the site at night so this is becoming a major issue now.

Any ideas smartys... tongue

Re: Logout token problem

Yes, the issue would be your IP changing between when you view the page and when you click the logout link. However, I think I would argue that the IP changing so often is the bug, not the CSRF token tongue
It's not an issue outside of 1.2, since 1.3's CSRF token system does not depend on IP. I don't know how I would go about dealing with ths in 1.2, so I'm tempted to leave it as it is.
To fix the issue by removing the token, you can just remove the check in login.php and the csrf_token generation in include/functions.php

Re: Logout token problem

Ok I will remove it on my work site and deal with it when visiting 1.2 sites at work.

I didnt test 1.3, so glad to hear I won't have same problem. Will be happy when I update work site to 1.3. tongue

4

Re: Logout token problem

/me would like to see your work site tongue