This is the community forum. For a developer response use the Client Area.
Follow us on Facebook, Twitter and YouTube!

The form is missing a security token. Please try again.
#1

What does this message mean?  And can I do s.th. about it?

I noticed that this sometimes just comes up when I submit a test message.
Reply
#2

Hi uran235,

Each time you view the form, the script puts a random string into your browser session. It puts the same random string in a hidden form input. Then when you submit the form, the script compares to see if the string from your session matches with the one from the hidden form input. By doing this, it ensures that it was yourself that submitted the form and not some script on another site submitting it for you without you even knowing. This is commonly known as a CSRF (Cross-Site Request Forgery) attack.

As to why it's sporadically happening for you, I can think of a couple of reasons. Firstly you might have viewed the form and not submitted it for a while afterwards, meaning that your session has expired. Secondly it's possible that you might have viewed the form, viewed a second form and then submitted the first form. I haven't confirmed but I imagine the first form would be checking if its hidden input matches with the second form's session. Do either of those cases seem plausible?

If it's not of a particular concern to you or you have other security features enabled (ReCaptcha) that do the same then you can disable this by opening /frontend/controller/main/form.php and commenting out this line:

PHP Code:
<?php 
$json
['result']['error'] = $this->data['lang_error_csrf'];

Have you completed the interview?
Reply
#3

Thank you for your answer. 
I must have completly messed up s.th. Don't know what,tho. It worked a few days ago Huh
I had not much time for testing a few days but now I enter a page with the comment form enabled. I enter no text or s.th. Just hit submit.
Then the message with that missing security token appears.
If it helps I can send you link to my page.
Reply
#4

It sounds like a session problem. Does the admin area work okay? If so, the issue might be specific to the page where you've integrated Commentics. Do you have the session_start(); line of code at the beginning of the file, like in example1.php? Do you have cookies enabled in your browser?

Have you completed the interview?
Reply
#5

I didnT change anything in the files. If I remember right.  Angel 
So the session_start(); is there. In the backend no errors were shown.

So, now I commented out the line as you suggested and posting seems to work again. I will test later again. Have to work now Dodgy

Thank you very much so far Heart 

GREETING uran235
Reply
#6

I have been encountering this because I have a lot of comments to answer and I like to open a batch of comments in separate tabs then work through them. Clearly from your explanation this will have caused the missing token problem. I will now blank out the relvant line - but maybe the ability to do so could be added to the backend control panel.
Reply
#7

What version are you on? This was all fixed in the latest.

Have you completed the interview?
Reply
#8

(06-Oct-2017, 08:14 PM)Steven Wrote:  What version are you on? This was all fixed in the latest.

hi steven

the problem no fixed for me in v3.2

the recaptcha v2 error after submit comment:
error_incorrect_recaptcha


im disabled check CSRF and test again , problem not fix!

commentics setup in my multiple pages with php and smarty template and utf-8 non-english language:


PHP Code:
<?php

session_start
();
/**
*
* Website Page Code
*
**/

ob_start();
    $cmtx_identifier = $id;
    $cmtx_reference  = $title;
    $cmtx_folder     = '/app/comment/';
    require($_SERVER['DOCUMENT_ROOT'] . $cmtx_folder . 'frontend/index.php');
    $comments = ob_get_clean();
    $smarty->assign('comments', $comments); // box of commentics


what i work?

thanks
Reply
#9

Can you provide a link to your page to help me determine what's happening?

Have you completed the interview?
Reply
#10

(15-Jan-2017, 04:02 PM)Steven Wrote:  Hi uran235,

Each time you view the form, the script puts a random string into your browser session. It puts the same random string in a hidden form input. Then when you submit the form, the script compares to see if the string from your session matches with the one from the hidden form input. By doing this, it ensures that it was yourself that submitted the form and not some script on another site submitting it for you without you even knowing. This is commonly known as a CSRF (Cross-Site Request Forgery) attack.

As to why it's sporadically happening for you, I can think of a couple of reasons. Firstly you might have viewed the form and not submitted it for a while afterwards, meaning that your session has expired. Secondly it's possible that you might have viewed the form, viewed a second form and then submitted the first form. I haven't confirmed but I imagine the first form would be checking if its hidden input matches with the second form's session. Do either of those cases seem plausible?

If it's not of a particular concern to you or you have other security features enabled (ReCaptcha) that do the same then you can disable this by opening /frontend/controller/main/form.php and commenting out this line:

PHP Code:
<?php 
$json
['result']['error'] = $this->data['lang_error_csrf'];
I can't find this line in the file, it doesn't exist.

Edit: I've found somewhere in the admin panel that you can disable csrf. I'm not that bothered anyway, what can they do, make a php script to post comments on my site? Big Grin
Reply


Possibly Related Threads…
Thread / Author Replies Views Last Post
Last Post by Zey
18-Apr-2019, 09:25 PM

Forum Jump:


Users browsing this thread: 1 Guest(s)