Problem with token_error.php

[flo]

Hey guys,

many of my users are getting redirected to the token_error.php page after login. When thy click on go back and enter their login credentials again, it works and the token-error.php page is not shown.

In the token_error.php it is stated, that the following is most probably the case, when this message is shown:
// 1. Someone trying to perform a man-in-the-middle attack on a form on the site.
// 2. Something accidentally causing the page to partially reload

I don’t think, that a man in the middle attack is the case. So I am wondering: What are my option to resolve this issue for my users?

I can’t remember, that I ever had that issue while developing on localhost, but as soon as I moved the project to the live server i also got the message a couple of times (if that information helps).

Thank you guys a lot!! Awesome work on the userspice project!

[Brandin]

Can you get them to log the instances they are finding this occurring? You will notice this any time a user hits a page with a CSRF token and then they regenerate a token before the form is submitted, because on submission it tries to check the Token and dies because its not right.

Eg. you are on admin.php and admin_user.php, but you loaded admin_user second and it has a CSRF token on it. Because of this, if you try to submit admin.php, it will die with a token error.

[flo]

Thanks for the quick response!

Unfortunately, I can't get them to log the instances this is occurring! What are the practical steps to debug/fix this? I am not aware of any (partial) reloads of the page, since it is just the regular login page.

Not checking the token at all is probably a bad idea..right?

[Brandin]

Yes-you should never "not" check the token.

If you want to store when a CSRF fails, you can modify the script in usersc/scripts(maybe-or includes)/something about CSRF or token failure.

Thanks,
Brandin.