Question regarding csrf token (this sounds related to Francisco FR's problem)
Right now, when you leave the shoutbox open long enough, it'll eventually "crash" and stop working, due to a CSRF token mismatch. The reason this is happening is because a static CSRF token is being compared to one that gets generated on each poll and each new message (so basically, every 1.6 seconds). In simpler terms, each time it checks for new shouts or adds a new one, it'll check these two tokens, and eventually the static one will lag behind, and mismatch.
The comparison's in data.php on line 26:
$_GET['csrf_token'] != generate_form_token('./extensions/shoutbox_pun/data.php')I understand that the reason for this is to help prevent cross-site attacks, and in this specific case, prevent bad people from posting shouts to your shoutbox without your permission. Does anyone have any idea on how to get around this? It looks like one solution is to regenerate the static token before it expires, but the token is generated via php code, and only gets called on page refresh. The alternative is to remove the check.
This problem also occurs with base PunBB functions, like modifying settings in the admin panel. The site gets around it by prompting you to confirm your action. I haven't looked at the code, but I imagine during this time, they regenerate the token, and then the action passes the check and goes through. But we can't do that with shouts, unless we force a page refresh every ~30 minutes.
Would be totally grateful for any help on this. Thanks!