Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

All other Modules /

Discuss all other Modules here.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Friendly message at possible CSRF attack


Go to End
Reply


14 Posts   7659 Views

Avatar
MarijnKampf

Community Member, 164 Posts

15 January 2011 at 4:38am

A client of one of my clients reported a "Security token doesn't match, possible CSRF attack." message when trying to submit a user generated form. As there is nothing wrong with the form, I suspect that their session timed out and hence they received the error.

I've now added Form::disable_all_security_tokens(); in the _config.php which means that the timeout should no longer occur. However, I'm wondering what potential security holes this leaves open?

Would it be possible to replace the message "Security token doesn't match, possible CSRF attack." with something friendlier? Ideally a message saying 'Your session times out, click here to go back to your form and submit again'. With a link that takes the user back to the completely filled out form. All they then have to do is re-submit and everyone is happy.

Avatar
Tama

Community Member, 132 Posts

22 February 2011 at 9:59am

I'm also interested in this.

We've just had a user get in touch about this message.

Marijn - have you made any progress with this? I don't want to alienate our users but I don't want to open our website to attack.

Cheers
Tama

Avatar
MarijnKampf

Community Member, 164 Posts

23 February 2011 at 6:49am

Hi Tama,

I haven't done anything other than disable the CSRF check. I would have hoped for a bit more detailed discussion on this issue.

Marijn.

Avatar
quanto

Community Member, 81 Posts

25 February 2011 at 9:40pm

I also get the same error. I'm not sending it from the contact-template, but from a (self-made) contactform on another page. Is it possible to send it from there, or could I only send this from the form-specific Layout?

Avatar
JonoM

Community Member, 103 Posts

29 April 2011 at 12:57pm

Hello, I'm having this problem too. I don't really understand what a CSRF attack is but I guess I don't want to open my site to one! I have a custom form which is quite long so it causes users a fair amount of stress when it doesn't submit properly, I guess because their session timed out?

How unsafe is it to disable security tokens for forms?

Is there a different solution, like could I increase how long a security token / session lasts for somehow? I thought a session was supposed to last until a browser was closed so I don't really understand how this problem is happening. Does putting your computer to sleep or something like that also expire a session?

Thanks

Avatar
JonoM

Community Member, 103 Posts

30 April 2011 at 2:23pm

It seems if cookies aren't enabled in a visitor's browser this error will happen as well - so it's possible that could be the cause of my problems. I've tried to detect cookie support and show or hide the form based on that in case that's the cause (code below).

** I'd still like to know if a form expires after a certain amount of time - does anyone know the answer to that? **

Cheers

Controller
========

public function CookiesUncertain() {
   return (!Cookie::get('PHPSESSID'));
}

========
Template
========

<% if CookiesUncertain %>
   <div class="warning">
      <p>We couldn't determine if cookies are enabled in your browser - please <a href="$Link">reload this page</a> so we can confirm. If the message disappears all is well! If you can still see this message then you will either need to enable cookies in your browser or switch to a different browser before you can fill out this form.</p>
   </div>
<% else %>
   $EnquiryForm
<% end_if %>

p.s. haha went to submit this reply and what do you know - got the message 'Security token doesn't match, possible CSRF attack.' Think Marijn's solution sounds ideal, any chance of seeing this happen?

Avatar
JonoM

Community Member, 103 Posts

13 May 2011 at 1:56pm

I'm still having reports of users repeatedly getting the "Security token doesn't match, possible CSRF attack." message. Since I've put in a measure to make sure cookies are enabled I can't understand why this is happening or how to fix it.

Does anyone know what exactly can trigger the "Security token doesn't match, possible CSRF attack" error and how to avoid this? Please?

Avatar
Willr

Forum Moderator, 5513 Posts

13 May 2011 at 5:15pm

You can pretty safely disable the security tokens for most forms. We have disabled it for search forms and some other low critical contact forms which have captchas etc. If you are dealing with users who aren't logged in, there isn't much that can happen but not fully aware of all the crazy methods the kids use these days.

Go to Top