New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unset POST by CSRF protection in main.inc.php (POST for this token was already done or was done by a not allowed web page with a wrong token). #13111
Comments
Problem here is not on delay but on the fact that you open other page and the feature to protect by token is still in development and is not yet finished. When development will be finished, this will not happen. |
OH sorry, i haven't seen it waas due to the activation of experimental features. |
Another explanation is that there is an external module that load a php file in background (for example a link to a css.php of js.php file or an ajax call) and the file does not include the line: if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL', '1'); // Disables token renewal If this is the case, this may trigger this error even with "stable" level. But in such a case, it means the module is not compatible with v11 and + |
thanks @eldy for the explanation; so i have to modify all my modules to add this in css.php, js.php and ajax called scripts ? (i did not find this in Changelog) |
Hello, i have the same problem with one installation. So i did an update from Dolibarr 9.0.4 to 11.0.2 and now got the message
But there is no 'hidden config' entry with CSRF - or not shown Can I overwrite this in config.php or so? Otherwise I have look for a direct database access to edit in llx_c_const? |
We have now access to the database and I checked the llx_const table and there was no Comment: Could this possibly have been a reason for the CSRF warning? |
i guess that security token is activate by default in v11 and that you can desactivate it with the hidden constant. |
Yes you have to. Forms must add the field And Ajax and css pages must add the constant |
Yes, the installation was in MAIN_FEATURES_LEVEL 2. Is it possible to check this before Dolibarr update run to give a warning |
This issue is stale because it has been open 1 year with no activity. If this is a bug, please comment to confirm it is still present on latest stable version. if this is a feature request, please comment to notify the request is still relevant and not yet covered by latest stable version. This issue may be closed automatically by stale bot in 10 days (you should still be able to re-open it if required). |
Instructions
everywhere dolibarr keep saying this to the users
Bug
Unset POST by CSRF protection in main.inc.php (POST for this token was already done or was done by a not allowed web page with a wrong token).
Environment
Expected and actual behavior
dolibarr must be user friendly or it's his future wich is compromised
i already seen open sources die for less than that
Steps to reproduce the behavior
wait on a page, open two pages, use history etc
Attached files
We can't leave this like this, normal humans doesn't understand what we are talking about and doesn't want to lost their history usage, they want to have their pages open for hours.
Example :
For sure BOB will complain about Dolibarr and most of users will. We can't leave this like that.
We are ready to help finish this security feature. Who wants to talk about ?
The text was updated successfully, but these errors were encountered: