Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Access denied: CSRF attack ? Rate Topic   - - - - -


Posted 06 November 2011 - 05:02 PM #1

Well, just for fun I thought I would increase store security a bit by turning on this switch in config.local.php:

'anti_csfr' => false, // protect forms from CSFR attacks (experimental)

'anti_csfr' => true, // protect forms from CSFR attacks (experimental)

That was a couple days ago, and I don't remember if I logged back in since as the Admin (or if I ever logged out, to be honest), but this morning when I tried to login instead of the admin panel I got this message in a otherwise blank page:

Access denied: CSRF attack

So I wander now if:

Is anyone here using this successfully? And how?

I know it says "experimental" and all, but a more secure site is a good thing to have.

Any advice appreciated!

(BTW, I was able to login once I turned it back to "false")

  • Struck
  • Teetering on Genious
  • Members
  • Join Date: 07-Mar 09
  • 2502 posts

Posted 06 November 2011 - 11:25 PM #2

Access denied: CSRF attack

Thank you StoreKeeper for being the absolute 1st Beta Tester of this new feature & actually reporting back your results!

At least I now know to not trigger this experimental setting for awhile longer! :D
Cooking with Gas on Version 4.1.2 (But proceeding with caution....)

  • Darius
  • Douchebag
  • Members
  • Join Date: 20-Apr 08
  • 3372 posts

Posted 07 November 2011 - 08:06 AM #3

Don't touch if its not broken! :)

You should never play with beta stuff on live store...

  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11797 posts

Posted 07 November 2011 - 07:04 PM #4

It's been a tweak setting for forever. You'd think the QA department would have tested it or had it removed if not...

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.