Access denied: CSRF attack ?

storekeeper · November 6, 2011, 12:00am

Well, just for fun I thought I would increase store security a bit by turning on this switch in config.local.php:

'anti_csfr' => false, // protect forms from CSFR attacks (experimental)

to

'anti_csfr' => true, // protect forms from CSFR attacks (experimental)

That was a couple days ago, and I don't remember if I logged back in since as the Admin (or if I ever logged out, to be honest), but this morning when I tried to login instead of the admin panel I got this message in a otherwise blank page:

[indent]

Access denied: CSRF attack[/indent]

So I wander now if:

[indent]Is anyone here using this successfully? And how?[/indent]

I know it says “experimental” and all, but a more secure site is a good thing to have.

Any advice appreciated!

[size=“1”]

(BTW, I was able to login once I turned it back to “false”)[/size]

struck · November 6, 2011, 12:00am

[quote]Access denied: CSRF attack[/quote]

Thank you StoreKeeper for being the absolute 1st Beta Tester of this new feature & actually reporting back your results!

At least I now know to not trigger this experimental setting for awhile longer!

darius · November 7, 2011, 12:00am

Don’t touch if its not broken!

You should never play with beta stuff on live store…

tbirnseth · November 7, 2011, 12:00am

It's been a tweak setting for forever. You'd think the QA department would have tested it or had it removed if not…