TrigZu
04-20-2011, 10:48 PM
So I have a vBulletin powered donation page with this at the top:
// #################### DEFINE IMPORTANT CONSTANTS #######################
define('THIS_SCRIPT', 'DONATE');
define('CSRF_PROTECTION', true);
define('CSRF_SKIP_LIST', 'thankyou');
What I'm doing is having PayPal send the person donating back to the page like this: donate.php?do=thankyou.
Unfortunately whenever I go to donate.php?do=thankyou with any type of POST (which PayPal uses) it still gives me an invalid token notification. Do I even need to worry about CSRF protection on my donations page if all the content I'm putting on there is my own? Should I just turn it off (tested and it works off). Or am I just doing something stupid that I can fix in a half-a-second?
Thanks. :D
// #################### DEFINE IMPORTANT CONSTANTS #######################
define('THIS_SCRIPT', 'DONATE');
define('CSRF_PROTECTION', true);
define('CSRF_SKIP_LIST', 'thankyou');
What I'm doing is having PayPal send the person donating back to the page like this: donate.php?do=thankyou.
Unfortunately whenever I go to donate.php?do=thankyou with any type of POST (which PayPal uses) it still gives me an invalid token notification. Do I even need to worry about CSRF protection on my donations page if all the content I'm putting on there is my own? Should I just turn it off (tested and it works off). Or am I just doing something stupid that I can fix in a half-a-second?
Thanks. :D