You are not logged in. Please login or register.
PunBB Forums → PunBB 1.3 troubleshooting → Unable to confirm security token (can I increase the time?)
My forum is the type where people often type very long posts. So we are getting those security errors and it could confuse people very easily.
Any chance we can extend the time frame of the security token?
This is now driving me and my users POTTY.
If I spend more than about 1 minute typing my post I get the "security token" message.
Am I doing something wrong?
cheers
Mark
my users are having the same problem. I just added some info in language file, advising them to press send one more time and this should fix the problem. No complaints afterwards. It's a temp solution
I think you can disable CSRF confirmation by placing
define('FORUM_DISABLE_CSRF_CONFIRM', 1)somewhere on your config.php
Note: By doing this, you are decreasing your security
// Please only recommend this method as a short term fix. - Utchin.
Anywhere in particular?
The end would be ok, I guess.
That's defeating the purpose of having the security token, however.
Yeah, of course.
Yeah, of course.
It is not a good idea to suggest to people an option which is decreasing their security.
You're right, I'll edit my post saying it's decreasing their security in bold letters so users know.
That's defeating the purpose of having the security token, however.
But the way it was causing problems. Users were frustrated. The time length needs extending. Is there a description somewhere that I can read stating why the time is so short?
I'm personally rather unfamiliar with the specifics of the 1.3* code, but I'm sure one of the devs should be able to point you in the right direction. You have to allow time for the fact that it is Christmas, when factoring for a response, however. 
This bug is really annoying. I've tried to find the cause some times, but I've found nothing 
There is to much code verifying user's cookies and security tokens.
I've supposed that the bug appears on posting a form when somebody else have visited the forum after a forum page with the form was opened in browser. Also I thought this error is shown only for admins. Am I right?
We'll continue the investigation
We have the url of a requested page and csrf_token in the table online (it is generated when user log in). These two strings are concatenated and hashed with sha1-algorithm. Given value is stored on the forum page in a hidden value.
There is an option "Online timeout". It defines the count of seconds idle before a user is removed from the online users list.
Every time a user requests a page of the forum, the list of online users is updated. This means that some information about the current user (logged time and previous url) will be updated, and all users, logged more than online timeout seconds ago, will be removed from the online table.
When a visitor writes his post more than online timeout and other users are browsing forum pages, the posting user will be removed from the online list. When a user presses the "Submit" button, he will be authorized via a cookie and, as he was removed from online table, a new csrf_token will be generated in the online table. So csrf_token in the online table doesn't equal csrf, which was used to generate csfr-token at the requested page.
To increase time frame of the security token, you should increase the online timeout. You can do it on "admin/settings.php" page in the "Default timeouts and redirect delay" section.
To increase time frame of the security token, you should increase the online timeout. You can do it on "admin/settings.php" page in the "Default timeouts and redirect delay" section.
This is not a good solution I'm afraid.
If a user spends 5 minutes composing a new post (this is very common on my forum) then he should be hit with the security token measure. This is just putting people off using the forum. Also, I don't want people to remain in the online list for 5 minutes after they leave the site. This results in confusion amongst posters who make topics like "hello username" when in fact the person they are talking to left the site 4 minutes ago.
So the online timeout should be around 3 minute (for my site) and the security token should be a separate value.
That is just my opinion anyway
posters who make topics like "hello username"
...should be banned 
So the online timeout should be around 3 minute (for my site) and the security token should be a separate value.
As it was stated above, token is stored in online table. So that when user goes offline, the token is lost.
You may modify the code or make an extension to implement the logic you need, e.g. store the csrf token in users table...
Nevertheless, it seems to me very seldom, when you cannot find the balance between "long writing" and "quick online status update".
it is very very very common that I get the security message. I don't think my users get it. someone suggested it mainly affects admins
1. What is the PHP version running forum?
2. Server TZ setting?
3. Your local TZ?
PunBB Forums → PunBB 1.3 troubleshooting → Unable to confirm security token (can I increase the time?)
Powered by PunBB, supported by Informer Technologies, Inc.