1 Topic by Nigg (edited by Nigg 2009-02-13 09:57)

  • Nigg
  • Member
  • Offline
  • Registered: 2007-02-05
  • Posts: 13

Topic: CSRF Token in Form

$redirect_url = $_SERVER['REQUEST_URI'];
        $post_url     = forum_link('login.php');
        $csrf_token   = generate_form_token($post_url);

$form = '
            <form id="login" name="login" method="post" action="'.$post_url.'">
                <input type="hidden" name="form_sent" value="1" />
                <input type="hidden" name="redirect_url" value="'.$redirect_url.'" />
                <input type="hidden" name="csrf_token"   value="'.$csrf_token.'" />
                <input type="submit" name="submit" value="'.$dict->getDict( 'logout', 'login').'">
            </form>';

Where is the bug? The error is that the error message from the first post is displayed SOMETIMES when we log in.

  • From: Russia
  • Registered: 2007-12-13
  • Posts: 642

Re: CSRF Token in Form

Nigg wrote:

The error is that the error message from the first post is displayed SOMETIMES when we log in.

1. what is message text?
2. what is SOMETIMES?

Carpe diem

Anatoly's Website

3 Reply by Nigg (edited by Nigg 2009-02-13 13:04)

  • Nigg
  • Member
  • Offline
  • Registered: 2007-02-05
  • Posts: 13

Re: CSRF Token in Form

Oh, I'm sorry, here is the message:

Confirm action
Please confirm or cancel your last action

Unable to confirm security token. A likely cause for this is that some time passed between when you first entered the page and when you submitted a form or clicked a link. If that is the case and you would like to continue with your action, please click the Confirm button. Otherwise, you should click the Cancel button to return to where you were.

[ Confirm ]        [ Cancel ]

Sometimes == I'm not sure cause I cannot reproduce it. It happens often, I think after the first visit (or successfully login and logout) of a page.

  • Cereal
  • Senior Member
  • Offline
  • From: Belgium
  • Registered: 2006-06-05
  • Posts: 123

Re: CSRF Token in Form

well users are reporting the same problem at my site ...

another thing thats impacted is the read posts, when this happens (after posting or login in) post they have read are marked as unread ...

so it happens at 2 places:
1- on login
2- on posting a message

~Cereal
I've finally learned what "upward compatible" means. It means we get to keep all our old mistakes.
The limits of language are the limits of one's world.

Cereal's Website

  • From: Russia
  • Registered: 2007-12-13
  • Posts: 642

Re: CSRF Token in Form

Try just increasing the timeouts at the Administration/Settings page.

Carpe diem

Anatoly's Website

6 Reply by Nigg

  • Nigg
  • Member
  • Offline
  • Registered: 2007-02-05
  • Posts: 13

Re: CSRF Token in Form

that doesn't help