1

Topic: Unable to confirm security token

$forum_page['redirect_url'] = WWW.'viewtopic/'.$id;

$forum_page['form_action'] = forum_link($forum_url['login']);

$forum_page['hidden_fields'] = array(
    'form_sent'        => '<input type="hidden" name="form_sent" value="1" />',
    'forum_user'    => '<input type="hidden" name="form_user" value="'.$forum_user['username'].'" />',
    'redirect_url'    => '<input type="hidden" name="redirect_url" value="'.forum_htmlencode($forum_page['redirect_url']).'" />',
    'csrf_token'    => '<input type="hidden" name="csrf_token" value="'.generate_form_token($forum_page['form_action']).'" />'
);

Where i can get list of $forum_url ,or get rid off this annoying fing "Unable to confirm security token". Why the hell you really need it? Anyway $forum_url['login'] is for login form ,but i need for logout,post edit etcc.. big_smile

Re: Unable to confirm security token

Wuu wrote:

Where i can get list of $forum_url ,or get rid off this annoying fing "Unable to confirm security token". Why the hell you really need it? Anyway $forum_url['login'] is for login form ,but i need for logout,post edit etcc.. big_smile

$forum_url is defined in include/url/<url scheme>/forum_urls.php

the security token is needed for csrf attacks, more info here: http://en.wikipedia.org/wiki/Cross-site_request_forgery

~Cereal
I've finally learned what "upward compatible" means. It means we get to keep all our old mistakes.
The limits of language are the limits of one's world.

3 (edited by tj111 2009-06-09 18:03)

Re: Unable to confirm security token

I too was having a similar issue after converting our CMS to use PunBB's login authentication system.  The simple solution is to just define the constant FORUM_SKIP_CSRF_CONFIRM before including any PunBB code.  It took some digging, but I found that check included in include/common.php before verifying the CSRF token.

define("FORUM_SKIP_CSRF_CONFIRM", 1);

4

Re: Unable to confirm security token

tj111 wrote:

I too was having a similar issue after converting our CMS to use PunBB's login authentication system.  The simple solution is to just define the constant FORUM_SKIP_CSRF_CONFIRM before including any PunBB code.  It took some digging, but I found that check included in include/common.php before verifying the CSRF token.

define("FORUM_SKIP_CSRF_CONFIRM", 1);

Just a note for anyone who may read this thread. Doing as suggested above is most definitely not advisable.

5

Re: Unable to confirm security token

I agree it's not advisable, but I was unable to figure out how to successfully create csrf tokens for forms that exist outside of my punbb directory.

6

Re: Unable to confirm security token

tj111 wrote:

I agree it's not advisable, but I was unable to figure out how to successfully create csrf tokens for forms that exist outside of my punbb directory.

It wasn't intended as a criticism. smile I merely mentioned it so that people don't blindly apply that change above without realising that it has drawbacks. smile

Re: Unable to confirm security token

tj111 wrote:

...I was unable to figure out how to successfully create csrf tokens for forms that exist outside of my punbb directory.

You need to add hidden value to your form:

<input type="hidden" name="csrf_token" value="'.generate_form_token('http://site/form_handler.php').'" />

Re: Unable to confirm security token

Hi,

had same problem. Use get_current_url 'fn_get_current_url_start' hook to fix it, the function is strange. It does retrieve current url by '$protocol.$_SERVER['HTTP_HOST'].$port.$_SERVER['REQUEST_URI'];' which just isn't this way in all cases.

9

Re: Unable to confirm security token

I'm getting this same error more frequently. Usually when I vote karma or sometimes replying to a post.
If I hit the back button and refresh, it usually works (but sucks when you get it after typing a reply to a post).

Re: Unable to confirm security token

I too was having a similar issue