Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

All other Modules

Discuss all other Modules here.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Friendly message at possible CSRF attack

Go to End

14 Posts   7214 Views


15 January 2011 at 4:38am Community Member, 164 Posts

A client of one of my clients reported a "Security token doesn't match, possible CSRF attack." message when trying to submit a user generated form. As there is nothing wrong with the form, I suspect that their session timed out and hence they received the error.

I've now added Form::disable_all_security_tokens(); in the _config.php which means that the timeout should no longer occur. However, I'm wondering what potential security holes this leaves open?

Would it be possible to replace the message "Security token doesn't match, possible CSRF attack." with something friendlier? Ideally a message saying 'Your session times out, click here to go back to your form and submit again'. With a link that takes the user back to the completely filled out form. All they then have to do is re-submit and everyone is happy.


22 February 2011 at 9:59am Community Member, 130 Posts

I'm also interested in this.

We've just had a user get in touch about this message.

Marijn - have you made any progress with this? I don't want to alienate our users but I don't want to open our website to attack.



23 February 2011 at 6:49am Community Member, 164 Posts

Hi Tama,

I haven't done anything other than disable the CSRF check. I would have hoped for a bit more detailed discussion on this issue.



25 February 2011 at 9:40pm Community Member, 81 Posts

I also get the same error. I'm not sending it from the contact-template, but from a (self-made) contactform on another page. Is it possible to send it from there, or could I only send this from the form-specific Layout?


29 April 2011 at 12:57pm Community Member, 103 Posts

Hello, I'm having this problem too. I don't really understand what a CSRF attack is but I guess I don't want to open my site to one! I have a custom form which is quite long so it causes users a fair amount of stress when it doesn't submit properly, I guess because their session timed out?

How unsafe is it to disable security tokens for forms?

Is there a different solution, like could I increase how long a security token / session lasts for somehow? I thought a session was supposed to last until a browser was closed so I don't really understand how this problem is happening. Does putting your computer to sleep or something like that also expire a session?



30 April 2011 at 2:23pm Community Member, 103 Posts

It seems if cookies aren't enabled in a visitor's browser this error will happen as well - so it's possible that could be the cause of my problems. I've tried to detect cookie support and show or hide the form based on that in case that's the cause (code below).

** I'd still like to know if a form expires after a certain amount of time - does anyone know the answer to that? **



public function CookiesUncertain() {
   return (!Cookie::get('PHPSESSID'));


<% if CookiesUncertain %>
   <div class="warning">
      <p>We couldn't determine if cookies are enabled in your browser - please <a href="$Link">reload this page</a> so we can confirm. If the message disappears all is well! If you can still see this message then you will either need to enable cookies in your browser or switch to a different browser before you can fill out this form.</p>
<% else %>
<% end_if %>

p.s. haha went to submit this reply and what do you know - got the message 'Security token doesn't match, possible CSRF attack.' Think Marijn's solution sounds ideal, any chance of seeing this happen?


13 May 2011 at 1:56pm Community Member, 103 Posts

I'm still having reports of users repeatedly getting the "Security token doesn't match, possible CSRF attack." message. Since I've put in a measure to make sure cookies are enabled I can't understand why this is happening or how to fix it.

Does anyone know what exactly can trigger the "Security token doesn't match, possible CSRF attack" error and how to avoid this? Please?


13 May 2011 at 5:15pm Forum Moderator, 5511 Posts

You can pretty safely disable the security tokens for most forms. We have disabled it for search forms and some other low critical contact forms which have captchas etc. If you are dealing with users who aren't logged in, there isn't much that can happen but not fully aware of all the crazy methods the kids use these days.

Go to Top