[uran235]

What does this message mean?  And can I do s.th. about it?

I noticed that this sometimes just comes up when I submit a test message.

[Steven]

Hi uran235,

Each time you view the form, the script puts a random string into your browser session. It puts the same random string in a hidden form input. Then when you submit the form, the script compares to see if the string from your session matches with the one from the hidden form input. By doing this, it ensures that it was yourself that submitted the form and not some script on another site submitting it for you without you even knowing. This is commonly known as a CSRF (Cross-Site Request Forgery) attack.

As to why it's sporadically happening for you, I can think of a couple of reasons. Firstly you might have viewed the form and not submitted it for a while afterwards, meaning that your session has expired. Secondly it's possible that you might have viewed the form, viewed a second form and then submitted the first form. I haven't confirmed but I imagine the first form would be checking if its hidden input matches with the second form's session. Do either of those cases seem plausible?

If it's not of a particular concern to you or you have other security features enabled (ReCaptcha) that do the same then you can disable this by opening /frontend/controller/main/form.php and commenting out this line:

PHP Code:

<?php 

$json['result']['error'] = $this->data['lang_error_csrf']; 

[uran235]

Thank you for your answer. 
I must have completly messed up s.th. Don't know what,tho. It worked a few days ago
I had not much time for testing a few days but now I enter a page with the comment form enabled. I enter no text or s.th. Just hit submit.
Then the message with that missing security token appears.
If it helps I can send you link to my page.

[Steven]

It sounds like a session problem. Does the admin area work okay? If so, the issue might be specific to the page where you've integrated Commentics. Do you have the session_start(); line of code at the beginning of the file, like in example1.php? Do you have cookies enabled in your browser?

[uran235]

I didnT change anything in the files. If I remember right.   
So the session_start(); is there. In the backend no errors were shown.

So, now I commented out the line as you suggested and posting seems to work again. I will test later again. Have to work now

Thank you very much so far  

GREETING uran235

[Jeremy Young]

I have been encountering this because I have a lot of comments to answer and I like to open a batch of comments in separate tabs then work through them. Clearly from your explanation this will have caused the missing token problem. I will now blank out the relvant line - but maybe the ability to do so could be added to the backend control panel.

[Steven]

What version are you on? This was all fixed in the latest.

[beta]

What version are you on? This was all fixed in the latest.

hi steven

the problem no fixed for me in v3.2

the recaptcha v2 error after submit comment:
error_incorrect_recaptcha


im disabled check CSRF and test again , problem not fix!

commentics setup in my multiple pages with php and smarty template and utf-8 non-english language:

PHP Code:

<?php



session_start();

/**

* 

* Website Page Code

*

**/



ob_start();

    $cmtx_identifier = $id;

    $cmtx_reference  = $title;

    $cmtx_folder     = '/app/comment/';

    require($_SERVER['DOCUMENT_ROOT'] . $cmtx_folder . 'frontend/index.php');

    $comments = ob_get_clean();

    $smarty->assign('comments', $comments); // box of commentics 

[Steven]

Can you provide a link to your page to help me determine what's happening?

[cd5ssmffan]

Hi uran235,

Each time you view the form, the script puts a random string into your browser session. It puts the same random string in a hidden form input. Then when you submit the form, the script compares to see if the string from your session matches with the one from the hidden form input. By doing this, it ensures that it was yourself that submitted the form and not some script on another site submitting it for you without you even knowing. This is commonly known as a CSRF (Cross-Site Request Forgery) attack.

As to why it's sporadically happening for you, I can think of a couple of reasons. Firstly you might have viewed the form and not submitted it for a while afterwards, meaning that your session has expired. Secondly it's possible that you might have viewed the form, viewed a second form and then submitted the first form. I haven't confirmed but I imagine the first form would be checking if its hidden input matches with the second form's session. Do either of those cases seem plausible?

If it's not of a particular concern to you or you have other security features enabled (ReCaptcha) that do the same then you can disable this by opening /frontend/controller/main/form.php and commenting out this line:

PHP Code:

<?php 

$json['result']['error'] = $this->data['lang_error_csrf'];