Topic: Migrated to new web server, CSRF problems
I have been running a punBB 1.3.2 forum for a very long time, and today the time came to migrate the forum to my new VPS. It is running nginx+PHP+mySQL.
I installed punBB 1.4 (latest), upgraded the imported DB to the latest DB revision, edited the config file to match my new system and everything seemed to work flawlessly.
However, the moment I try to log on, I get the CSRF error:
Unable to confirm security token. A likely cause for this is that some time passed between when you first entered the page and when you submitted a form or clicked a link. If that is the case and you would like to continue with your action, please click the Confirm button. Otherwise, you should click the Cancel button to return to where you were.
If I click "Confirm". I get redirected to an HTTPS version of my site, the following URL: ht tps://<base-url>:80/login/. However, my server isn't even running on HTTPS/SSL, so the request obviously fails. If I remove the https:// part of the url, it works fine.
The function in question that determines this behaviour was found in functions.php and the function get_current_url():
$protocol = (!isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) == 'off') ? 'ht tp://' : 'htt ps://';
It checks the PHP varbiable _SERVER['HTTPS'] to determine whether I am on a HTTPS connection. The current value in my phpinfo:
_SERVER["HTTPS"] no value
Surely, it should be unset?
In any case, I modified the function to always point to a regular HTTP connection regardless of what the server says, and I can now log in fine. However, if I try making a post or a reply, I always get the CSRF no matter how many times I press submit:
Unable to confirm security token. A likely cause for this is that some time passed between when you first entered the page and when you posted the form. Clicking "Submit" again should solve the problem.
Upon further investigation, I noticed that the CSRF token that is saved in the "online" table of the database never matches the CSRF token it is trying to compare. They are entirely different. I am under the suspicion that this is caused by the above HTTPS-issue but I have no idea where to begin. My web server does not (and should not) have HTTPS support.
Thank you very much for any replies.
EDIT: I had to add spaces in the "URLs" above, because it wouldn't let me post.
EDIT2: I also tried migrating the 1.3.2 version of the forum. I am getting the exact same errors, so it's definitely not an issue with the version upgrade.