Question about the checkToken part of ChronoForm..
I have left checkToken enabled because, from what I understand, it's part of the Joomla security to prevent CSRF attacks. For the most part, my users haven't had any issue.
But twice now, I've had users complain about the "You are not authorized to access this page" error. (We discussed a similar issue here: http://www.chronoengine.com/forums/index.php?option=com_chronoforums&cont=posts&f=2&t=15644&p=39867&hilit=CSRF#p39867) I thought it was a cookie issue, the checkToken not being set properly or something. But my client said he's using IE8 and it is set up to "accept all cookies". So I was wondering if there's some known incompatibility with IE8?? He downloaded the latest Firefox and it worked.
Interestingly, the other client was using Firefox 3.5 on OS 10.6 when he came across that error. When he switched to Safari, it worked fine.
Anybody else run into these problems??
Jenny
I have left checkToken enabled because, from what I understand, it's part of the Joomla security to prevent CSRF attacks. For the most part, my users haven't had any issue.
But twice now, I've had users complain about the "You are not authorized to access this page" error. (We discussed a similar issue here: http://www.chronoengine.com/forums/index.php?option=com_chronoforums&cont=posts&f=2&t=15644&p=39867&hilit=CSRF#p39867) I thought it was a cookie issue, the checkToken not being set properly or something. But my client said he's using IE8 and it is set up to "accept all cookies". So I was wondering if there's some known incompatibility with IE8?? He downloaded the latest Firefox and it worked.
Interestingly, the other client was using Firefox 3.5 on OS 10.6 when he came across that error. When he switched to Safari, it worked fine.
Anybody else run into these problems??
Jenny
Hi Jenny,
We've seen them occasionally since the check-token was introduced. I think that's why Max added the option to turn it off. It does increase the risk but unless you have a high traffic or high-vulnerarability site (one that people try to hack) then you are probably OK in practice.
On the other had the same security token code is present on all of the Joomla standard forms and rarely seems to cause problems there. . .
Bob
We've seen them occasionally since the check-token was introduced. I think that's why Max added the option to turn it off. It does increase the risk but unless you have a high traffic or high-vulnerarability site (one that people try to hack) then you are probably OK in practice.
On the other had the same security token code is present on all of the Joomla standard forms and rarely seems to cause problems there. . .
Bob
This topic is locked and no more replies can be posted.
