1 Topic by Wuu

  • Wuu
  • Junior Member
  • Offline
  • Registered: 2009-03-08
  • Posts: 9

Topic: Unable to confirm security token

$forum_page['redirect_url'] = WWW.'viewtopic/'.$id;

$forum_page['form_action'] = forum_link($forum_url['login']);

$forum_page['hidden_fields'] = array(
    'form_sent'        => '<input type="hidden" name="form_sent" value="1" />',
    'forum_user'    => '<input type="hidden" name="form_user" value="'.$forum_user['username'].'" />',
    'redirect_url'    => '<input type="hidden" name="redirect_url" value="'.forum_htmlencode($forum_page['redirect_url']).'" />',
    'csrf_token'    => '<input type="hidden" name="csrf_token" value="'.generate_form_token($forum_page['form_action']).'" />'
);

Where i can get list of $forum_url ,or get rid off this annoying fing "Unable to confirm security token". Why the hell you really need it? Anyway $forum_url['login'] is for login form ,but i need for logout,post edit etcc.. big_smile

  • Cereal
  • Senior Member
  • Offline
  • From: Belgium
  • Registered: 2006-06-05
  • Posts: 123

Re: Unable to confirm security token

Wuu wrote:

Where i can get list of $forum_url ,or get rid off this annoying fing "Unable to confirm security token". Why the hell you really need it? Anyway $forum_url['login'] is for login form ,but i need for logout,post edit etcc.. big_smile

$forum_url is defined in include/url/<url scheme>/forum_urls.php

the security token is needed for csrf attacks, more info here: http://en.wikipedia.org/wiki/Cross-site_request_forgery

~Cereal
I've finally learned what "upward compatible" means. It means we get to keep all our old mistakes.
The limits of language are the limits of one's world.

Cereal's Website

3 Reply by tj111 (edited by tj111 2009-06-09 18:03)

  • tj111
  • Junior Member
  • Offline
  • Registered: 2009-06-09
  • Posts: 2

Re: Unable to confirm security token

I too was having a similar issue after converting our CMS to use PunBB's login authentication system.  The simple solution is to just define the constant FORUM_SKIP_CSRF_CONFIRM before including any PunBB code.  It took some digging, but I found that check included in include/common.php before verifying the CSRF token.

define("FORUM_SKIP_CSRF_CONFIRM", 1);

4 Reply by MattF

  • MattF
  • Senior Member
  • Offline
  • From: South Yorkshire, England
  • Registered: 2007-03-15
  • Posts: 1,956

Re: Unable to confirm security token

tj111 wrote:

I too was having a similar issue after converting our CMS to use PunBB's login authentication system.  The simple solution is to just define the constant FORUM_SKIP_CSRF_CONFIRM before including any PunBB code.  It took some digging, but I found that check included in include/common.php before verifying the CSRF token.

define("FORUM_SKIP_CSRF_CONFIRM", 1);

Just a note for anyone who may read this thread. Doing as suggested above is most definitely not advisable.

MattF's Website

5 Reply by tj111

  • tj111
  • Junior Member
  • Offline
  • Registered: 2009-06-09
  • Posts: 2

Re: Unable to confirm security token

I agree it's not advisable, but I was unable to figure out how to successfully create csrf tokens for forms that exist outside of my punbb directory.

6 Reply by MattF

  • MattF
  • Senior Member
  • Offline
  • From: South Yorkshire, England
  • Registered: 2007-03-15
  • Posts: 1,956

Re: Unable to confirm security token

tj111 wrote:

I agree it's not advisable, but I was unable to figure out how to successfully create csrf tokens for forms that exist outside of my punbb directory.

It wasn't intended as a criticism. smile I merely mentioned it so that people don't blindly apply that change above without realising that it has drawbacks. smile

MattF's Website

  • Slavok
  • PunBB Developer
  • Offline
  • From: Russia
  • Registered: 2008-06-11
  • Posts: 1,238

Re: Unable to confirm security token

tj111 wrote:

...I was unable to figure out how to successfully create csrf tokens for forms that exist outside of my punbb directory.

You need to add hidden value to your form:

<input type="hidden" name="csrf_token" value="'.generate_form_token('http://site/form_handler.php').'" />

Slavok's Website

  • Registered: 2009-08-08
  • Posts: 4

Re: Unable to confirm security token

Hi,

had same problem. Use get_current_url 'fn_get_current_url_start' hook to fix it, the function is strange. It does retrieve current url by '$protocol.$_SERVER['HTTP_HOST'].$port.$_SERVER['REQUEST_URI'];' which just isn't this way in all cases.

9 Reply by chovy

  • Registered: 2009-10-30
  • Posts: 76

Re: Unable to confirm security token

I'm getting this same error more frequently. Usually when I vote karma or sometimes replying to a post.
If I hit the back button and refresh, it usually works (but sucks when you get it after typing a reply to a post).

chovy's Website

  • Registered: 2009-11-25
  • Posts: 1

Re: Unable to confirm security token

I too was having a similar issue