Problem with token_error.php - Printable Version

The following warnings occurred:

Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.1.2-1ubuntu2.14 (Linux)

File	Line	Function
/global.php(961) : eval()'d code	26	errorHandler->error
/global.php	961	eval
/printthread.php	16	require_once

Problem with token_error.php - Printable Version

+- UserSpice (https://userspice.com/forums)
+-- Forum: Miscellaneous (https://userspice.com/forums/forumdisplay.php?fid=28)
+--- Forum: Off-topic Discussions (https://userspice.com/forums/forumdisplay.php?fid=10)
+--- Thread: Problem with token_error.php (/showthread.php?tid=1026)

Problem with token_error.php - flo - 04-02-2018

Hey guys,

many of my users are getting redirected to the token_error.php page after login. When thy click on go back and enter their login credentials again, it works and the token-error.php page is not shown.

In the token_error.php it is stated, that the following is most probably the case, when this message is shown:
// 1. Someone trying to perform a man-in-the-middle attack on a form on the site.
// 2. Something accidentally causing the page to partially reload

I don’t think, that a man in the middle attack is the case. So I am wondering: What are my option to resolve this issue for my users?

I can’t remember, that I ever had that issue while developing on localhost, but as soon as I moved the project to the live server i also got the message a couple of times (if that information helps).

Thank you guys a lot!! Awesome work on the userspice project! Smile

Problem with token_error.php - Brandin - 04-03-2018

Can you get them to log the instances they are finding this occurring? You will notice this any time a user hits a page with a CSRF token and then they regenerate a token before the form is submitted, because on submission it tries to check the Token and dies because its not right.

Eg. you are on admin.php and admin_user.php, but you loaded admin_user second and it has a CSRF token on it. Because of this, if you try to submit admin.php, it will die with a token error.

Problem with token_error.php - flo - 04-23-2018

Thanks for the quick response!

Unfortunately, I can't get them to log the instances this is occurring! What are the practical steps to debug/fix this? I am not aware of any (partial) reloads of the page, since it is just the regular login page.

Not checking the token at all is probably a bad idea..right?

Problem with token_error.php - Brandin - 04-23-2018

Yes-you should never "not" check the token.

If you want to store when a CSRF fails, you can modify the script in usersc/scripts(maybe-or includes)/something about CSRF or token failure.

Thanks,
Brandin.