A client of one of my clients reported a "Security token doesn't match, possible CSRF attack." message when trying to submit a user generated form. As there is nothing wrong with the form, I suspect that their session timed out and hence they received the error.

I've now added Form::disable_all_security_tokens(); in the _config.php which means that the timeout should no longer occur. However, I'm wondering what potential security holes this leaves open?

Would it be possible to replace the message "Security token doesn't match, possible CSRF attack." with something friendlier? Ideally a message saying 'Your session times out, click here to go back to your form and submit again'. With a link that takes the user back to the completely filled out form. All they then have to do is re-submit and everyone is happy.

I'm also interested in this.

We've just had a user get in touch about this message.

Marijn - have you made any progress with this? I don't want to alienate our users but I don't want to open our website to attack.

Cheers
Tama

Hi Tama,

I haven't done anything other than disable the CSRF check. I would have hoped for a bit more detailed discussion on this issue.

Marijn.

I also get the same error. I'm not sending it from the contact-template, but from a (self-made) contactform on another page. Is it possible to send it from there, or could I only send this from the form-specific Layout?

Hello, I'm having this problem too. I don't really understand what a CSRF attack is but I guess I don't want to open my site to one! I have a custom form which is quite long so it causes users a fair amount of stress when it doesn't submit properly, I guess because their session timed out?

How unsafe is it to disable security tokens for forms?

Is there a different solution, like could I increase how long a security token / session lasts for somehow? I thought a session was supposed to last until a browser was closed so I don't really understand how this problem is happening. Does putting your computer to sleep or something like that also expire a session?

Thanks

It seems if cookies aren't enabled in a visitor's browser this error will happen as well - so it's possible that could be the cause of my problems. I've tried to detect cookie support and show or hide the form based on that in case that's the cause (code below).

** I'd still like to know if a form expires after a certain amount of time - does anyone know the answer to that? **

Cheers

Controller
========

public function CookiesUncertain() {
	return (!Cookie::get('PHPSESSID'));
}

========
Template
========

<% if CookiesUncertain %>
	<div class="warning">
		<p>We couldn't determine if cookies are enabled in your browser - please <a href="$Link">reload this page</a> so we can confirm. If the message disappears all is well! If you can still see this message then you will either need to enable cookies in your browser or switch to a different browser before you can fill out this form.</p>
	</div>
<% else %>
	$EnquiryForm
<% end_if %>

p.s. haha went to submit this reply and what do you know - got the message 'Security token doesn't match, possible CSRF attack.' Think Marijn's solution sounds ideal, any chance of seeing this happen?

I'm still having reports of users repeatedly getting the "Security token doesn't match, possible CSRF attack." message. Since I've put in a measure to make sure cookies are enabled I can't understand why this is happening or how to fix it.

Does anyone know what exactly can trigger the "Security token doesn't match, possible CSRF attack" error and how to avoid this? Please?

You can pretty safely disable the security tokens for most forms. We have disabled it for search forms and some other low critical contact forms which have captchas etc. If you are dealing with users who aren't logged in, there isn't much that can happen but not fully aware of all the crazy methods the kids use these days.