The Arcive of Official vBulletin Modifications Site.

Coume · #1 01-25-2009, 03:04 PM

Hello,

I copied my original board code to create a search box on my site root and my 404.php page (http://www.mythtvtalk.com and http://www.mythtvtalk.com/404.php).
It worked fine for few hours but now, each time I try to use it, I get the following error:

Quote:

Your submission could not be processed because the token has expired.

Please push the back button and reload the previous window.

After doing some research, it looks like that vb 3.7+ came with a CSRF protection. It is good to know that even searches are protected by vb but how I can overcome that for my own board? I simply need/want a search box on the 2 above pages.

Do you know how this can be tweaked?

Thanks in advance.
Ludo

Coume · #2 01-25-2009, 03:28 PM

Dismounted,

Is there a way to generate a security token outside of the forum to use in a search box?
I.e. Generate a token on www.domain.com when the forum is at www.domain.com/forum ?

Thanks in advance.
Ludo

Dismounted · #3 01-26-2009, 03:55 AM

See the function fetch_userinfo() in functions.php for the algorithm of the security token.

PS. I have moved your post from your other thread into this one.

Voltar · #4 01-26-2009, 01:09 PM

You can have access to a users' security token outside of standard forum pages if you include global.php.

PHP Code:


			
require_once('./global.php');
print($vbulletin->userinfo['securitytoken']);

Would print out the hash. To use it in a search box, you would need to create a new hidden field in your form

PHP Code:


			
<input type="hidden" name="securitytoken" value="<?php echo($vbulletin->userinfo['securitytoken']); ?>" />

Dismounted · #5 01-27-2009, 03:23 AM

Yes, but doing that may be a bit excessive when you can generate your own token.

Dismounted · #6 01-27-2009, 05:00 AM

Quote:

Originally Posted by Dismounted

See the function fetch_userinfo() in functions.php for the algorithm of the security token.

Did you read this post?

Coume · #7 01-27-2009, 08:40 PM

Quote:

Originally Posted by Dismounted

Did you read this post?

Yep and I managed to re-create a security token.

I can perform searches externaly IF I was not logged in before. If I was already logged in, it looks like my generated security token (using a random user) does not match mine and therefore I hit the error page.

Is there a way to check/test if a security token already exists?
Because if one already use it, I should use this one instead of generate a new one.
I checked the cookie and I can't seem to find the security token in them :/

Any idea?

Thanks
Ludo

Dismounted · #8 01-28-2009, 04:27 AM

Security tokens are generated on every page load. You must use the user ID that the user has logged in as (find this in cookies).

Coume · #9 01-28-2009, 04:51 AM

Erm, so is there a way to know/check if a user is already logged in and if so, to get his userid? (outside of the forum obviously)

And for guest/not-logged in user, which userid and user_Salt should be used? Because there is no guest member defined in the user table

Thanks for your help

Dismounted · #10 01-28-2009, 05:10 AM

Quote:

Originally Posted by Coume

Erm, so is there a way to know/check if a user is already logged in and if so, to get his userid? (outside of the forum obviously)

Just use the user ID from their cookie. If the user happen to mess with their cookies, they will just get an error saying the token is incorrect.

Quote:

Originally Posted by Coume

And for guest/not-logged in user, which userid and user_Salt should be used? Because there is no guest member defined in the user table

The token is "guest" for not-logged in users.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.02160 seconds Memory Usage 2,257KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (2)bbcode_php (5)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (2)pagenav_pagelink (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!