Topic: Unable to confirm security token (can I increase the time?)

My forum is the type where people often type very long posts. So we are getting those security errors and it could confuse people very easily.

Any chance we can extend the time frame of the security token?

Re: Unable to confirm security token (can I increase the time?)

This is now driving me and my users POTTY.
If I spend more than about 1 minute typing my post I get the "security token" message.
Am I doing something wrong?

cheers
Mark

3

Re: Unable to confirm security token (can I increase the time?)

my users are having the same problem. I just added some info in language file, advising them to press send one more time and this should fix the problem. No complaints afterwards. It's a temp solution

4 (edited by User33 2008-12-23 23:58)

Re: Unable to confirm security token (can I increase the time?)

I think you can disable CSRF confirmation by placing

define('FORUM_DISABLE_CSRF_CONFIRM', 1)

somewhere on your config.php

Note: By doing this, you are decreasing your security

// Please only recommend this method as a short term fix. - Utchin.

Re: Unable to confirm security token (can I increase the time?)

Anywhere in particular?

Re: Unable to confirm security token (can I increase the time?)

The end would be ok, I guess.

7

Re: Unable to confirm security token (can I increase the time?)

That's defeating the purpose of having the security token, however.

Re: Unable to confirm security token (can I increase the time?)

Yeah, of course.

9

Re: Unable to confirm security token (can I increase the time?)

Garciat wrote:

Yeah, of course.

It is not a good idea to suggest to people an option which is decreasing their security.

10

Re: Unable to confirm security token (can I increase the time?)

You're right, I'll edit my post saying it's decreasing their security in bold letters so users know.

Re: Unable to confirm security token (can I increase the time?)

MattF wrote:

That's defeating the purpose of having the security token, however.

But the way it was causing problems. Users were frustrated. The time length needs extending. Is there a description somewhere that I can read stating why the time is so short?

12

Re: Unable to confirm security token (can I increase the time?)

I'm personally rather unfamiliar with the specifics of the 1.3* code, but I'm sure one of the devs should be able to point you in the right direction. You have to allow time for the fact that it is Christmas, when factoring for a response, however. smile

Re: Unable to confirm security token (can I increase the time?)

This bug is really annoying. I've tried to find the cause some times, but I've found nothing sad
There is to much code verifying user's cookies and security tokens.

I've supposed that the bug appears on posting a form when somebody else have visited the forum after a forum page with the form was opened in browser. Also I thought this error is shown only for admins. Am I right?

We'll continue the investigation smile

14

Re: Unable to confirm security token (can I increase the time?)

We have the url of a requested page and csrf_token in the table online (it is generated when user log in). These two strings are concatenated and hashed with sha1-algorithm. Given value is stored on the forum page in a hidden value.
There is an option "Online timeout". It defines the count of seconds idle before a user is removed from the online users list.
Every time a user requests a page of the forum, the list of online users is updated. This means that some information about the current user (logged time and previous url) will be updated, and all users, logged more than online timeout seconds ago, will be removed from the online table.
When a visitor writes his post more than online timeout and other users are browsing forum pages, the posting user will be removed from the online list. When a user presses the "Submit" button, he will be authorized via a cookie and, as he was removed from online table, a new csrf_token will be generated in the online table. So csrf_token in the online table doesn't equal csrf, which was used to generate csfr-token at the requested page.
To increase time frame of the security token, you should increase the online timeout. You can do it on "admin/settings.php" page in the "Default timeouts and redirect delay" section.

Re: Unable to confirm security token (can I increase the time?)

slavok wrote:

To increase time frame of the security token, you should increase the online timeout. You can do it on "admin/settings.php" page in the "Default timeouts and redirect delay" section.

This is not a good solution I'm afraid.
If a user spends 5 minutes composing a new post (this is very common on my forum) then he should be hit with the security token measure. This is just putting people off using the forum. Also, I don't want people to remain in the online list for 5 minutes after they leave the site. This results in confusion amongst posters who make topics like "hello username" when in fact the person they are talking to left the site 4 minutes ago.

So the online timeout should be around 3 minute (for my site) and the security token should be a separate value.


That is just my opinion anyway

Re: Unable to confirm security token (can I increase the time?)

esupergood wrote:

posters who make topics like "hello username"

...should be banned tongue

Re: Unable to confirm security token (can I increase the time?)

esupergood wrote:

So the online timeout should be around 3 minute (for my site) and the security token should be a separate value.

As it was stated above, token is stored in online table. So that when user goes offline, the token is lost.
You may modify the code or make an extension to implement the logic you need, e.g. store the csrf token in users table...
Nevertheless, it seems to me very seldom, when you cannot find the balance between "long writing" and "quick online status update".

Carpe diem

Re: Unable to confirm security token (can I increase the time?)

it is very very very common that I get the security message. I don't think my users get it. someone suggested it mainly affects admins

Re: Unable to confirm security token (can I increase the time?)

1. What is the PHP version running forum?
2. Server TZ setting?
3. Your local TZ?

Carpe diem