vb.org Archive
Page 1 of 4 1 23 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   Security token with external search field. (https://vborg.vbsupport.ru/showthread.php?t=203057)

Coume 01-25-2009 03:04 PM
Security token with external search field.
 
Hello,

I copied my original board code to create a search box on my site root and my 404.php page (http://www.mythtvtalk.com and http://www.mythtvtalk.com/404.php).
It worked fine for few hours but now, each time I try to use it, I get the following error:
Quote:
Your submission could not be processed because the token has expired.

Please push the back button and reload the previous window.
After doing some research, it looks like that vb 3.7+ came with a CSRF protection. It is good to know that even searches are protected by vb but how I can overcome that for my own board? I simply need/want a search box on the 2 above pages.

Do you know how this can be tweaked?

Thanks in advance.
Ludo

Coume 01-25-2009 03:28 PM
Dismounted,

Is there a way to generate a security token outside of the forum to use in a search box?
I.e. Generate a token on www.domain.com when the forum is at www.domain.com/forum ?

Thanks in advance.
Ludo

Dismounted 01-26-2009 03:55 AM
See the function fetch_userinfo() in functions.php for the algorithm of the security token.

PS. I have moved your post from your other thread into this one.

Voltar 01-26-2009 01:09 PM
You can have access to a users' security token outside of standard forum pages if you include global.php.

PHP Code:
require_once('./global.php');
print($vbulletin->userinfo['securitytoken']); 
Would print out the hash. To use it in a search box, you would need to create a new hidden field in your form

PHP Code:
<input type="hidden" name="securitytoken" value="<?php echo($vbulletin->userinfo['securitytoken']); ?>" />

Dismounted 01-27-2009 03:23 AM
Yes, but doing that may be a bit excessive when you can generate your own token.

Dismounted 01-27-2009 05:00 AM
Quote:
Originally Posted by Dismounted (Post 1724855)
See the function fetch_userinfo() in functions.php for the algorithm of the security token.
Did you read this post?

Coume 01-27-2009 08:40 PM
Quote:
Originally Posted by Dismounted (Post 1725909)
Did you read this post?
Yep and I managed to re-create a security token.

I can perform searches externaly IF I was not logged in before. If I was already logged in, it looks like my generated security token (using a random user) does not match mine and therefore I hit the error page.

Is there a way to check/test if a security token already exists?
Because if one already use it, I should use this one instead of generate a new one.
I checked the cookie and I can't seem to find the security token in them :/

Any idea?

Thanks
Ludo

Dismounted 01-28-2009 04:27 AM
Security tokens are generated on every page load. You must use the user ID that the user has logged in as (find this in cookies).

Coume 01-28-2009 04:51 AM
Erm, so is there a way to know/check if a user is already logged in and if so, to get his userid? (outside of the forum obviously)

And for guest/not-logged in user, which userid and user_Salt should be used? Because there is no guest member defined in the user table

Thanks for your help

Dismounted 01-28-2009 05:10 AM
Quote:
Originally Posted by Coume (Post 1726865)
Erm, so is there a way to know/check if a user is already logged in and if so, to get his userid? (outside of the forum obviously)
Just use the user ID from their cookie. If the user happen to mess with their cookies, they will just get an error saying the token is incorrect.
Quote:
Originally Posted by Coume (Post 1726865)
And for guest/not-logged in user, which userid and user_Salt should be used? Because there is no guest member defined in the user table
The token is "guest" for not-logged in users.


All times are GMT. The time now is 10:22 PM.
Page 1 of 4 1 23 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01137 seconds
  • Memory Usage 1,739KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_php_printable
  • (5)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete