1 (edited by Nigg 2009-02-13 09:57)

Topic: CSRF Token in Form

$redirect_url = $_SERVER['REQUEST_URI'];
        $post_url     = forum_link('login.php');
        $csrf_token   = generate_form_token($post_url);

$form = '
            <form id="login" name="login" method="post" action="'.$post_url.'">
                <input type="hidden" name="form_sent" value="1" />
                <input type="hidden" name="redirect_url" value="'.$redirect_url.'" />
                <input type="hidden" name="csrf_token"   value="'.$csrf_token.'" />
                <input type="submit" name="submit" value="'.$dict->getDict( 'logout', 'login').'">
            </form>';

Where is the bug? The error is that the error message from the first post is displayed SOMETIMES when we log in.

Re: CSRF Token in Form

Nigg wrote:

The error is that the error message from the first post is displayed SOMETIMES when we log in.

1. what is message text?
2. what is SOMETIMES?

Carpe diem

3 (edited by Nigg 2009-02-13 13:04)

Re: CSRF Token in Form

Oh, I'm sorry, here is the message:

Confirm action
Please confirm or cancel your last action

Unable to confirm security token. A likely cause for this is that some time passed between when you first entered the page and when you submitted a form or clicked a link. If that is the case and you would like to continue with your action, please click the Confirm button. Otherwise, you should click the Cancel button to return to where you were.

[ Confirm ]        [ Cancel ]

Sometimes == I'm not sure cause I cannot reproduce it. It happens often, I think after the first visit (or successfully login and logout) of a page.

Re: CSRF Token in Form

well users are reporting the same problem at my site ...

another thing thats impacted is the read posts, when this happens (after posting or login in) post they have read are marked as unread ...

so it happens at 2 places:
1- on login
2- on posting a message

~Cereal
I've finally learned what "upward compatible" means. It means we get to keep all our old mistakes.
The limits of language are the limits of one's world.

Re: CSRF Token in Form

Try just increasing the timeouts at the Administration/Settings page.

Carpe diem

6

Re: CSRF Token in Form

that doesn't help