Private Site

[waynez]

Hi,

I'm trying to create a private site, I'd like users to hit the login page first before going anywhere. I've setup index.php to redirect to the page I want (homepage.php) located in the users folder. I have also modified the login.php file (moved to users) based on the login.php in users, mainly changing the css and removing the navigation.php so it only displays the login prompts. I can't seem to get past the "tokens don't match" error message, even when checking the source code of the original page and displaying the token, which appears to be the same it won't work.

Anybody point me in the right direction for some examples of how to make this work. Happy to provide any additional information, not sure what you need. I'm running on 4.2 BETA, on a Raspberry Pi.

Thanks in advance for any help

[mudmin]

That usually means you have some sort of redirect or are doing something fancy in the middle of your form. Are you using any ajax or javascript?

Every time the page is loaded, you generate a token in the form...

Code:

<input type="hidden" name="csrf" value="<?=Token::generate();?>" >

Then on submission, you get

Code:

$token = Input::get('csrf');

Code:

if(!Token::check($token)){

Code:

die('Token doesn\'t match!');

Code:

}

Because a new token is generated every time the page is loaded, if the one the system has is not the one the user has, then something is reloading the form mid stream. For testing purposes, you can comment out the die statement but it is a good idea to figure out why your page is reloading....

One other thing, you could possibly be calling

Code:

<?=Token::generate();?>

on the page twice or something weird like that. Is that happening?

[waynez]

Thanks for the reply.

I don't appear to have an Ajax or Javascript in the login.php page, just some CSS to change the format/layout

Have confirmed that commenting out `$token = Input::get('csrf');
if(!Token::check($token)){
die('Token doesn\'t match!');
}`

That the page loads correctly.

Just so I'm clear, I've added my new login.php and homepage.php into usersc/ from index.php I've changed the first piece of code
index.php
<pre>

Code:

require_once 'users/init.php';
if(file_exists("usersc/homepage.php")){
    //perform redirect if homepage files exist
    //this if{} block may be deleted once installed
    header("Location: usersc/homepage.php");

</pre>


The top of homepage.php has this code
homepage.php
<pre>

Code:

require_once '../users/init.php';
if (!securePage($_SERVER['PHP_SELF'])){die();}

</pre>


It all appears to redirect correctly, just that login.php ends up with a token error.
link to login.php -

Code:

http://pastebin.com/r19BvB3k

Again thanks for you help with this.

Wayne

[mudmin]

Sorry. I was away for a while. Did you get this figured out?

[gray444]

I seem to get getting two tokens called on the page that you mentioned above. Only on IE, is there anyway to prevent that?

[dan]

Have you verified this on multiple computers? Are you doing this on a live server or on some kind of Local Host?

My first reaction is that something on that machine is acting as a man-in-the-middle. It could be some script or Plugin. It could also be some kind of anti malware or virus scanner.

The only thing I can think of is that somehow the pages being Reloaded

Do you have a live site that I could check on?

[jmac]

I am having the same issue as reported above, I have a form that posts to a new page and when I click on the submit button the token value that is stored in the session variable updates to something new, but the post variable remains as what I would expect the session one to be.

It appears that once the button is clicked the page is being loaded twice or the generate token is being called twice. I have confirmed that the generate token is not on the page twice and that there is no jquery/javascript refreshing the page.

Did you ever work this out? Happy to provide more info if required.

I am using version UserSpice: 4.2.6
Ubuntu Server: Ubuntu 14.04.5 LTS Trusty
Apache 2.4.7
PHP Version 5.5.9-1

Any would love any advice on this.

[mudmin]

Hmm. $_POST to a new page might be where the problem is coming from. I didn't write the token system itself. It's kind of an industry standard thing. I sent this question on to a developer friend of mine. I'll keep you posted.

[jmac]

Hi Mudmin,

I've been going crazy about this issue for a few days and have narrowed it down to this line of code.

Code:

<img src="#" class="img-responsive center" alt="TBA">

If it is on the page I get the above error, if I remove it the token system works are expected.

If I remove the

Code:

#

then the token system works as expected, No idea why.

[firestorm]

the hash forces page refresh on http attributes so my guess is that because its in an img src attribute its forcing page refresh looking for an image source, either add a source url to an image or create a transparent png and link to it, or just remove altogether,