dnenb Posted February 21, 2013 Posted February 21, 2013 I keep getting this error using Chrome: Your request has expired for security reasons! Please try again. But using internet explorer the login works fine. Can anyone help me? Quote
dnenb Posted February 21, 2013 Author Posted February 21, 2013 $15 through paypal to whoever helps me understand and fix this issue :) Quote
AnonymousUser Posted February 22, 2013 Posted February 22, 2013 sent PM ;) that should work for ya... Quote
dnenb Posted February 22, 2013 Author Posted February 22, 2013 Site link? I'm not telling anyone that, sorry. I figure that if someone knows the script (and seen the problem before) they'll be able to help me with the problem without the link to my game. Quote
dnenb Posted February 22, 2013 Author Posted February 22, 2013 This is the function that's causing my headache (in authenticate.php, mccode v2). If you can explain to me how this CSRF-system works and help me to fix it I'll send you $15. // Check CSRF input if (!isset($_POST['verf']) || !verify_csrf_code('login', stripslashes($_POST['verf']))) { die( "<h3>{$set['game_name']} Error</h3> Your request has expired for security reasons! Please try again.<br /> <a href='login.php'>> Back</a>"); } Quote
Djkanna Posted February 22, 2013 Posted February 22, 2013 I'm not telling anyone that, sorry. I figure that if someone knows the script (and seen the problem before) they'll be able to help me with the problem without the link to my game. The reason I ask is as I've tested every v2 version I have access to and a few modern browers with no issue, so really cannot test it out. If you wish more help tell us the exact v2 version you're using, being able to recreate the issue goes a long way to fixing it. Cheers. As for the code, either the verf param isn't being passed or the value set on login.php doesn't match the one that is being retrieved when the function is called from authenticate.php. Ps: the actual verify_csrf_code function is located in global_func.php (as far as I am aware) Quote
AnonymousUser Posted February 22, 2013 Posted February 22, 2013 login verification :D yup thats the problem i'm sure, you forgot to set a verification in the login Quote
dnenb Posted February 23, 2013 Author Posted February 23, 2013 (edited) The reason I ask is as I've tested every v2 version I have access to and a few modern browers with no issue, so really cannot test it out. If you wish more help tell us the exact v2 version you're using, being able to recreate the issue goes a long way to fixing it. Cheers. As for the code, either the verf param isn't being passed or the value set on login.php doesn't match the one that is being retrieved when the function is called from authenticate.php. Ps: the actual verify_csrf_code function is located in global_func.php (as far as I am aware) The version I'm using is 2.0.5b (from here). It seems that there's a problem with the functions request_csrf_code() and verify_csrf_code() in authenticate.php. They look like this: function request_csrf_code($formid) { // Generate the token $token = md5(mt_rand()); // Insert/Update it $issue_time = time(); $_SESSION["csrf_{$formid}"] = array('token' => $token, 'issued' => $issue_time); return $token; } You can see that the token is stored in the session array $_SESSION["csrf_login"]. function verify_csrf_code($formid, $code) { // Lookup the token entry // Is there a token in existence? if (!isset($_SESSION["csrf_{$formid}"]) || !is_array($_SESSION["csrf_{$formid}"])) { // Obviously verification fails return false; } else { // From here on out we always want to remove the token when we're done - so don't return immediately $verified = false; $token = $_SESSION["csrf_{$formid}"]; // Expiry time on a form? $expiry = 900; // hacky lol if ($token['issued'] + $expiry > time()) { // It's ok, check the contents $verified = ($token['token'] === $code); } // don't need an else case - verified = false // Remove the token before finishing unset($_SESSION["csrf_{$formid}"]); return $verified; } } But when this function tries to get the token it seems to be different, resulting in $verified to always be false. But it works as it should in internet explorer. I'm literally banging my head against the wall here. Can aynone help me out? Edited February 23, 2013 by dnenb Quote
dnenb Posted February 23, 2013 Author Posted February 23, 2013 When I change this line: $token = md5(mt_rand()); to this: $token = md5('test'); I can login fine. So after reading this post on stackoverflow I'm pretty sure that the token id is set more than once. But I have no clue where that is happening or why it doesn't affect the login in internet explorer. Quote
Djkanna Posted February 23, 2013 Posted February 23, 2013 (edited) You're looking in the wrong place, the code is fine ( in a way ). I've sent you a PM, regarding the issue for you to verify for me. Edited February 23, 2013 by Djkanna Quote
dnenb Posted February 23, 2013 Author Posted February 23, 2013 Djkanna helped me sort it out! The problem was as implied in my last post that the token was being set multiple times, and therefore not matching. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.