vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   Security token with external search field. (https://vborg.vbsupport.ru/showthread.php?t=203057)

Coume 01-25-2009 03:04 PM
Security token with external search field.
 
Hello,

I copied my original board code to create a search box on my site root and my 404.php page (http://www.mythtvtalk.com and http://www.mythtvtalk.com/404.php).
It worked fine for few hours but now, each time I try to use it, I get the following error:
Quote:
Your submission could not be processed because the token has expired.

Please push the back button and reload the previous window.
After doing some research, it looks like that vb 3.7+ came with a CSRF protection. It is good to know that even searches are protected by vb but how I can overcome that for my own board? I simply need/want a search box on the 2 above pages.

Do you know how this can be tweaked?

Thanks in advance.
Ludo

Coume 01-25-2009 03:28 PM
Dismounted,

Is there a way to generate a security token outside of the forum to use in a search box?
I.e. Generate a token on www.domain.com when the forum is at www.domain.com/forum ?

Thanks in advance.
Ludo

Dismounted 01-26-2009 03:55 AM
See the function fetch_userinfo() in functions.php for the algorithm of the security token.

PS. I have moved your post from your other thread into this one.

Voltar 01-26-2009 01:09 PM
You can have access to a users' security token outside of standard forum pages if you include global.php.

PHP Code:
require_once('./global.php');
print($vbulletin->userinfo['securitytoken']); 
Would print out the hash. To use it in a search box, you would need to create a new hidden field in your form

PHP Code:
<input type="hidden" name="securitytoken" value="<?php echo($vbulletin->userinfo['securitytoken']); ?>" />

Dismounted 01-27-2009 03:23 AM
Yes, but doing that may be a bit excessive when you can generate your own token.

Dismounted 01-27-2009 05:00 AM
Quote:
Originally Posted by Dismounted (Post 1724855)
See the function fetch_userinfo() in functions.php for the algorithm of the security token.
Did you read this post?

Coume 01-27-2009 08:40 PM
Quote:
Originally Posted by Dismounted (Post 1725909)
Did you read this post?
Yep and I managed to re-create a security token.

I can perform searches externaly IF I was not logged in before. If I was already logged in, it looks like my generated security token (using a random user) does not match mine and therefore I hit the error page.

Is there a way to check/test if a security token already exists?
Because if one already use it, I should use this one instead of generate a new one.
I checked the cookie and I can't seem to find the security token in them :/

Any idea?

Thanks
Ludo

Dismounted 01-28-2009 04:27 AM
Security tokens are generated on every page load. You must use the user ID that the user has logged in as (find this in cookies).

Coume 01-28-2009 04:51 AM
Erm, so is there a way to know/check if a user is already logged in and if so, to get his userid? (outside of the forum obviously)

And for guest/not-logged in user, which userid and user_Salt should be used? Because there is no guest member defined in the user table

Thanks for your help

Dismounted 01-28-2009 05:10 AM
Quote:
Originally Posted by Coume (Post 1726865)
Erm, so is there a way to know/check if a user is already logged in and if so, to get his userid? (outside of the forum obviously)
Just use the user ID from their cookie. If the user happen to mess with their cookies, they will just get an error saying the token is incorrect.
Quote:
Originally Posted by Coume (Post 1726865)
And for guest/not-logged in user, which userid and user_Salt should be used? Because there is no guest member defined in the user table
The token is "guest" for not-logged in users.

JonZ 04-08-2009 09:56 AM
Quote:
Originally Posted by Voltar (Post 1725161)
You can have access to a users' security token outside of standard forum pages if you include global.php.

PHP Code:
require_once('./global.php');
print($vbulletin->userinfo['securitytoken']); 
Would print out the hash. To use it in a search box, you would need to create a new hidden field in your form

PHP Code:
<input type="hidden" name="securitytoken" value="<?php echo($vbulletin->userinfo['securitytoken']); ?>" />


Oh thanks man, it working! I hit my head on a wall for days on this problem.

TJ3 04-22-2009 02:29 AM
Having the same problem here!

Where does this code go?

require_once('./global.php');
print($vbulletin->userinfo['securitytoken']);

Dismounted 04-22-2009 07:03 AM
This thread only applies if you are creating your own files - are you doing this?

TJ3 04-22-2009 02:51 PM
Problem has been solved, thanks for checking in.

This was for a search box outside of the existing ones, so it needed to generate the token.

theybannedme 04-24-2009 05:22 PM
Quote:
Originally Posted by TJ3 (Post 1796772)
Problem has been solved, thanks for checking in.

This was for a search box outside of the existing ones, so it needed to generate the token.
Would you mind explaining how you did it step by step? Thanks much.

Dismounted 04-25-2009 10:26 AM
Including global.php will generate a token automatically, otherwise, you can generate one yourself.

theybannedme 04-25-2009 02:01 PM
Thanks for the quick response. I'm trying to do this on a wordpress page. On the appropriate php file for the template sidebar of WP I put this code:

Code:
<?php $vwd = '/home/domains/theybannedme.com/www_root/forums';
if ($vwd)
{
    chdir($vwd);
}

require_once ('/home/domains/theybannedme.com/www_root/forums/global.php');
print($vbulletin->userinfo['securitytoken']); ?>


<div class="sidebar-item">
<form action="http://www.theybannedme.com/forums/memberlist.php?do=search" method="post" name="search">
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="do" value="process" />
<input type="hidden" name="showposts" value="0" />
<input type="hidden" name="quicksearch" value="1" />
<input type="text" name="query" size="20" value="Search" onfocus="this.value=''" />&nbsp;
<input type="submit" value="Go" name="gobutton">
</form>
</div>
It gives me the search bar but when I try to search, I get the vbulletin error telling me invalid security token (before it said token was "missing" but after tweaking it says "invalid" so I think I'm close). Did I put it in the right place? Is my code messed up? Thank you again.

Dismounted 04-26-2009 05:20 AM
$bbuserinfo can only be used inside vBulletin templates.
Code:
<input type="hidden" name="securitytoken" value="<?php echo $vbulletin->userinfo['securitytoken']; ?>" />

theybannedme 04-26-2009 06:01 AM
Using this:

Code:
<?php $vwd = '/home/domains/theybannedme.com/www_root/forums';
if ($vwd)
{
    chdir($vwd);
}

require_once ('/home/domains/theybannedme.com/www_root/forums/global.php');
print($vbulletin->userinfo['securitytoken']); ?>


<form action="http://www.theybannedme.com/forums/memberlist.php?do=search" method="post" name="search">
<input type="hidden" name="securitytoken" value="<?php echo $vbulletin->userinfo['securitytoken']; ?>" />
<input type="hidden" name="do" value="process" />
<input type="hidden" name="showposts" value="0" />
<input type="hidden" name="quicksearch" value="1" />
<input type="text" name="query" size="20" value="Search" onfocus="this.value=''" />&nbsp;
<input type="submit" value="Go" name="gobutton">
</form>
Now I get this. :(

Quote:
Your submission could not be processed because a security token was missing.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.
Thank you for your help.

Dismounted 04-26-2009 10:19 AM
View the source of the page - is there a token there?

theybannedme 04-27-2009 04:43 PM
Yes, it has a security token in the source code but it says invalid:

Code:
var SESSIONURL = "";
var SECURITYTOKEN = "1240854144-f86c4260645d2[remainder deleted for security reasons]";
var IMGDIR_MISC = "lunablack/misc";
var vb_disable_ajax = parseInt("0", 10);

Dismounted 04-28-2009 07:12 AM
I'm talking about the hidden input...
Code:
<input type="hidden" name="securitytoken" value="SOMETHINGHERE" />

theybannedme 04-30-2009 02:59 PM
This is on the search page:

Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
This is on the results (invalid security token) page:

Code:
var SECURITYTOKEN = "LONG STRING OF NUMBERS/LETTERS";

Lynne 04-30-2009 03:20 PM
Your input field is not correct - the echo statement is wrong. You'll need to play with it... perhaps ". $bbuserinfo['var'] ." ?

theybannedme 05-01-2009 02:49 AM
Quote:
Originally Posted by Lynne (Post 1801874)
Your input field is not correct - the echo statement is wrong. You'll need to play with it... perhaps ". $bbuserinfo['var'] ." ?
Thanks for your suggestion. I tried it but am getting an identical result. Perhaps this cannot be done?

Dismounted 05-01-2009 05:31 AM
Why are you reading the "var SECURITYTOKEN = " bit? That is the vBulletin Javascript, not your input - you need to look at the input's code in the source...

theybannedme 05-02-2009 10:31 PM
Quote:
Originally Posted by Dismounted (Post 1802325)
Why are you reading the "var SECURITYTOKEN = " bit? That is the vBulletin Javascript, not your input - you need to look at the input's code in the source...
I'm sorry, I'm techtarded and I don't understand. :(

Dismounted 05-03-2009 04:46 AM
When you've loaded up the page in your browser, view the source, and find this line:
Code:
<input type="hidden" name="securitytoken" value="

theybannedme 05-17-2009 04:19 AM
Quote:
Originally Posted by Dismounted (Post 1803400)
When you've loaded up the page in your browser, view the source, and find this line:
Code:
<input type="hidden" name="securitytoken" value="
This is what I have, which is what I coded in. So confused, I feel like I'm just going in circles.

Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

NetRover 06-03-2009 11:08 AM
Quote:
Originally Posted by theybannedme (Post 1812230)
This is what I have, which is what I coded in. So confused, I feel like I'm just going in circles.

Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
Hi there, I'm far from an expert and this thread has just resolved my problem creating my own search.

Are you sure you need the full server path to your global.php?

Mine is fine copying the example exactly and using:
Code:
<?php
require_once('./global.php');

?>
My custom search file is within the forum root folder though.

pmquist 01-06-2011 09:05 PM
I have read, and I have tried all that is in this thread. Sometimes it work and sometimes it does not.
I am not sure if this thread says it is impossible to solve this security token problem or not. So please, if there is a solution please let me know :-)
And if there?s no solution, I would be grateful to learn about that as well.

:confused::confused:


All times are GMT. The time now is 05:26 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01301 seconds
  • Memory Usage 1,819KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (12)bbcode_code_printable
  • (4)bbcode_php_printable
  • (12)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (31)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete