Security Feature Not Functioning Correctly

Hi guys,

I’m having a problem with a security funtion embedded in CSCart. I’m using 4.0.3 and in random clicks anywhere in the site (not in the admin area, so probably my customers are getting that too) it uses this kind of “safe redirect” with a URL that looks like this:

Website Domain Names, Online Stores & Hosting -

And that has happened to me even when i’m in the homepage without SSL (no https://) and i just click to a category…it gives me this and then it also takes me to a non-ssl url.

I know this thing is always comming up when i try to use the “Theme Editor”. Other than that it appears at random times in random places whenever it feels like it…

I think with my limited knowledge that this is a security feature to prevent CSRF attacks but please…how can i turn if off completely if not fix it?

Also my config.local.php is like this:


// Tweaks

$config[‘tweaks’] = array (

‘anti_csrf’ => false, // protect forms from CSRF attacks

‘disable_block_cache’ => false, // used to disable block cache

‘disable_localizations’ => false, // Disable Localizations functionality

‘disable_dhtml’ => false, // Disable Ajax-based pagination and Ajax-based “Add to cart” button

‘dev_js’ => false, // is used to disable js files compilation

‘gzip_css_js’ => true // gzip compiled css/js files



Not part of cs-cart, turn off addons till problem goes away.

Are you sure about that? Since i wrote that i found that this must be not a securitykey but a sessionkey.I think it transfers the session when there is no other way to do it or something like that.

Have a look in

\app\controllers\backend\profiles.php Lines 224-241


\app\controllers\frontend\init.php Lines 22-36

It might be used to return a user to the cart (restoring their session) from an email link or other communication from the cart. But that would be for 1st access only. I.e. to return a user to a cart or to view an order when anonymous checkout is used. But it should not persist.

Right now it seems to be fixed by enabling the persistant SSL. Once https visitited keep it.

It seems this is caused when moving from http → https and vise versa…