The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.2.25 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/showthread.php 28 require_once





× This forum is read only. As of July 23, 2019, the UserSpice forums have been closed. To receive support, please join our Discord by clicking here. Thank you!

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Problem with token_error.php
#1
Hey guys,

many of my users are getting redirected to the token_error.php page after login. When thy click on go back and enter their login credentials again, it works and the token-error.php page is not shown.

In the token_error.php it is stated, that the following is most probably the case, when this message is shown:
// 1. Someone trying to perform a man-in-the-middle attack on a form on the site.
// 2. Something accidentally causing the page to partially reload

I don’t think, that a man in the middle attack is the case. So I am wondering: What are my option to resolve this issue for my users?

I can’t remember, that I ever had that issue while developing on localhost, but as soon as I moved the project to the live server i also got the message a couple of times (if that information helps).

Thank you guys a lot!! Awesome work on the userspice project! Smile
  Reply
#2
Can you get them to log the instances they are finding this occurring? You will notice this any time a user hits a page with a CSRF token and then they regenerate a token before the form is submitted, because on submission it tries to check the Token and dies because its not right.

Eg. you are on admin.php and admin_user.php, but you loaded admin_user second and it has a CSRF token on it. Because of this, if you try to submit admin.php, it will die with a token error.
  Reply
#3
Thanks for the quick response!

Unfortunately, I can't get them to log the instances this is occurring! What are the practical steps to debug/fix this? I am not aware of any (partial) reloads of the page, since it is just the regular login page.

Not checking the token at all is probably a bad idea..right?
  Reply
#4
Yes-you should never "not" check the token.

If you want to store when a CSRF fails, you can modify the script in usersc/scripts(maybe-or includes)/something about CSRF or token failure.

Thanks,
Brandin.
  Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)