PDA

View Full Version : Security token with external search field.


Coume
01-25-2009, 03:04 PM
Hello,

I copied my original board code to create a search box on my site root and my 404.php page (http://www.mythtvtalk.com and http://www.mythtvtalk.com/404.php).
It worked fine for few hours but now, each time I try to use it, I get the following error:
Your submission could not be processed because the token has expired.

Please push the back button and reload the previous window.

After doing some research, it looks like that vb 3.7+ came with a CSRF protection. It is good to know that even searches are protected by vb but how I can overcome that for my own board? I simply need/want a search box on the 2 above pages.

Do you know how this can be tweaked?

Thanks in advance.
Ludo

Coume
01-25-2009, 03:28 PM
Dismounted,

Is there a way to generate a security token outside of the forum to use in a search box?
I.e. Generate a token on www.domain.com when the forum is at www.domain.com/forum ?

Thanks in advance.
Ludo

Dismounted
01-26-2009, 03:55 AM
See the function fetch_userinfo() in functions.php for the algorithm of the security token.

PS. I have moved your post from your other thread into this one.

Voltar
01-26-2009, 01:09 PM
You can have access to a users' security token outside of standard forum pages if you include global.php.


require_once('./global.php');
print($vbulletin->userinfo['securitytoken']);
Would print out the hash. To use it in a search box, you would need to create a new hidden field in your form

<input type="hidden" name="securitytoken" value="<?php echo($vbulletin->userinfo['securitytoken']); ?>" />

Dismounted
01-27-2009, 03:23 AM
Yes, but doing that may be a bit excessive when you can generate your own token.

Dismounted
01-27-2009, 05:00 AM
See the function fetch_userinfo() in functions.php for the algorithm of the security token.
Did you read this post?

Coume
01-27-2009, 08:40 PM
Did you read this post?

Yep and I managed to re-create a security token.

I can perform searches externaly IF I was not logged in before. If I was already logged in, it looks like my generated security token (using a random user) does not match mine and therefore I hit the error page.

Is there a way to check/test if a security token already exists?
Because if one already use it, I should use this one instead of generate a new one.
I checked the cookie and I can't seem to find the security token in them :/

Any idea?

Thanks
Ludo

Dismounted
01-28-2009, 04:27 AM
Security tokens are generated on every page load. You must use the user ID that the user has logged in as (find this in cookies).

Coume
01-28-2009, 04:51 AM
Erm, so is there a way to know/check if a user is already logged in and if so, to get his userid? (outside of the forum obviously)

And for guest/not-logged in user, which userid and user_Salt should be used? Because there is no guest member defined in the user table

Thanks for your help

Dismounted
01-28-2009, 05:10 AM
Erm, so is there a way to know/check if a user is already logged in and if so, to get his userid? (outside of the forum obviously)
Just use the user ID from their cookie. If the user happen to mess with their cookies, they will just get an error saying the token is incorrect.
And for guest/not-logged in user, which userid and user_Salt should be used? Because there is no guest member defined in the user table
The token is "guest" for not-logged in users.

JonZ
04-08-2009, 09:56 AM
You can have access to a users' security token outside of standard forum pages if you include global.php.


require_once('./global.php');
print($vbulletin->userinfo['securitytoken']);
Would print out the hash. To use it in a search box, you would need to create a new hidden field in your form

<input type="hidden" name="securitytoken" value="<?php echo($vbulletin->userinfo['securitytoken']); ?>" />



Oh thanks man, it working! I hit my head on a wall for days on this problem.

TJ3
04-22-2009, 02:29 AM
Having the same problem here!

Where does this code go?

require_once('./global.php');
print($vbulletin->userinfo['securitytoken']);

Dismounted
04-22-2009, 07:03 AM
This thread only applies if you are creating your own files - are you doing this?

TJ3
04-22-2009, 02:51 PM
Problem has been solved, thanks for checking in.

This was for a search box outside of the existing ones, so it needed to generate the token.

theybannedme
04-24-2009, 05:22 PM
Problem has been solved, thanks for checking in.

This was for a search box outside of the existing ones, so it needed to generate the token.

Would you mind explaining how you did it step by step? Thanks much.

Dismounted
04-25-2009, 10:26 AM
Including global.php will generate a token automatically, otherwise, you can generate one yourself.

theybannedme
04-25-2009, 02:01 PM
Thanks for the quick response. I'm trying to do this on a wordpress page. On the appropriate php file for the template sidebar of WP I put this code:

<?php $vwd = '/home/domains/theybannedme.com/www_root/forums';
if ($vwd)
{
chdir($vwd);
}

require_once ('/home/domains/theybannedme.com/www_root/forums/global.php');
print($vbulletin->userinfo['securitytoken']); ?>


<div class="sidebar-item">
<form action="http://www.theybannedme.com/forums/memberlist.php?do=search" method="post" name="search">
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="do" value="process" />
<input type="hidden" name="showposts" value="0" />
<input type="hidden" name="quicksearch" value="1" />
<input type="text" name="query" size="20" value="Search" onfocus="this.value=''" />&nbsp;
<input type="submit" value="Go" name="gobutton">
</form>
</div>


It gives me the search bar but when I try to search, I get the vbulletin error telling me invalid security token (before it said token was "missing" but after tweaking it says "invalid" so I think I'm close). Did I put it in the right place? Is my code messed up? Thank you again.

Dismounted
04-26-2009, 05:20 AM
$bbuserinfo can only be used inside vBulletin templates.
<input type="hidden" name="securitytoken" value="<?php echo $vbulletin->userinfo['securitytoken']; ?>" />

theybannedme
04-26-2009, 06:01 AM
Using this:

<?php $vwd = '/home/domains/theybannedme.com/www_root/forums';
if ($vwd)
{
chdir($vwd);
}

require_once ('/home/domains/theybannedme.com/www_root/forums/global.php');
print($vbulletin->userinfo['securitytoken']); ?>


<form action="http://www.theybannedme.com/forums/memberlist.php?do=search" method="post" name="search">
<input type="hidden" name="securitytoken" value="<?php echo $vbulletin->userinfo['securitytoken']; ?>" />
<input type="hidden" name="do" value="process" />
<input type="hidden" name="showposts" value="0" />
<input type="hidden" name="quicksearch" value="1" />
<input type="text" name="query" size="20" value="Search" onfocus="this.value=''" />&nbsp;
<input type="submit" value="Go" name="gobutton">
</form>

Now I get this. :(

Your submission could not be processed because a security token was missing.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.

Thank you for your help.

Dismounted
04-26-2009, 10:19 AM
View the source of the page - is there a token there?

theybannedme
04-27-2009, 04:43 PM
Yes, it has a security token in the source code but it says invalid:

var SESSIONURL = "";
var SECURITYTOKEN = "1240854144-f86c4260645d2[remainder deleted for security reasons]";
var IMGDIR_MISC = "lunablack/misc";
var vb_disable_ajax = parseInt("0", 10);

Dismounted
04-28-2009, 07:12 AM
I'm talking about the hidden input...
<input type="hidden" name="securitytoken" value="SOMETHINGHERE" />

theybannedme
04-30-2009, 02:59 PM
This is on the search page:

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />


This is on the results (invalid security token) page:

var SECURITYTOKEN = "LONG STRING OF NUMBERS/LETTERS";

Lynne
04-30-2009, 03:20 PM
Your input field is not correct - the echo statement is wrong. You'll need to play with it... perhaps ". $bbuserinfo['var'] ." ?

theybannedme
05-01-2009, 02:49 AM
Your input field is not correct - the echo statement is wrong. You'll need to play with it... perhaps ". $bbuserinfo['var'] ." ?

Thanks for your suggestion. I tried it but am getting an identical result. Perhaps this cannot be done?

Dismounted
05-01-2009, 05:31 AM
Why are you reading the "var SECURITYTOKEN = " bit? That is the vBulletin Javascript, not your input - you need to look at the input's code in the source...

theybannedme
05-02-2009, 10:31 PM
Why are you reading the "var SECURITYTOKEN = " bit? That is the vBulletin Javascript, not your input - you need to look at the input's code in the source...

I'm sorry, I'm techtarded and I don't understand. :(

Dismounted
05-03-2009, 04:46 AM
When you've loaded up the page in your browser, view the source, and find this line:
<input type="hidden" name="securitytoken" value="

theybannedme
05-17-2009, 04:19 AM
When you've loaded up the page in your browser, view the source, and find this line:
<input type="hidden" name="securitytoken" value="

This is what I have, which is what I coded in. So confused, I feel like I'm just going in circles.

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

NetRover
06-03-2009, 11:08 AM
This is what I have, which is what I coded in. So confused, I feel like I'm just going in circles.

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />


Hi there, I'm far from an expert and this thread has just resolved my problem creating my own search.

Are you sure you need the full server path to your global.php?

Mine is fine copying the example exactly and using:
<?php
require_once('./global.php');

?>

My custom search file is within the forum root folder though.

pmquist
01-06-2011, 09:05 PM
I have read, and I have tried all that is in this thread. Sometimes it work and sometimes it does not.
I am not sure if this thread says it is impossible to solve this security token problem or not. So please, if there is a solution please let me know :-)
And if there?s no solution, I would be grateful to learn about that as well.

:confused::confused: