CSRF check failed

New Member Joined: Sep 20, 2009 Posts: 4 Location: España

hi
Select an avatar when I get this failure can you tell me how to solve

thanks

CSRF check failed. Please enable cookies.
If the problem persists, please contact the server/website administrator

Posted: Sun Sep 20, 2009 3:18 pm

Are your cookies turned on in your browser?

Posted: Mon Sep 21, 2009 9:27 am

I am having the same issue as well.

I am building a website for a WoW guild and most everything is working great.

The problem arises when a user goes to select a different avatar from the gallery with the Avatar Control Panel under Your Account/Change Info they get the same error message as above:

CSRF check failed. Please enable cookies.
If the problem persists, please contact the server/website administrator

Site specifics:

Apache version 2.2.11 (Unix)
PHP version 5.2.10
MySQL version 5.0.81-community
Architecture x86_64
Operating system Linux
Site URL - Only registered users can see links on this board! Get registered or login!

I installed RN v2.4 and Nuke Sentinel verbatim with the installation instructions located on the wiki.

I have tried both IE and Mozilla Firefox with cookies enabled and privacy/security settings as low as possible and get the same error with both browsers.

Thanks in advance

Posted: Mon Sep 21, 2009 10:35 am

OK we will look into this and get back to you ASAP.

Thank you for letting us know.

registered · Posted: Tue Sep 22, 2009 6:53 am

I couldn't get to looking at it yesterday. Hopefully I can this evening. We know what the issue is.

Posted: Tue Sep 22, 2009 7:15 am

Not a problem, everything else works so great I don't think anyone has even noticed the lack of avatars Smile

Thanks for the update though, much appreciated.

Posted: Wed Sep 23, 2009 10:17 pm

Ok, try this:

=== OPEN FILE ===

modules/Your_Account/index.php

=== MOVE THIS LINE ===

case 'avatarsave':

=== IN BETWEEN HERE LIKE THIS (i.e., move it up) ===

case 'saveactivate':
case 'avatarsave':
case 'userinfo':

=== DONE ===

I still need to make sure there isn't anything else being maintained by the avatarsave, but from my initial review, I see no reason to protect against an avatar being changed to something else within the Gallery... not real CSRF issue IMO. Just an annoyance.

Give this a go and see if it works for you.

Posted: Thu Sep 24, 2009 12:09 am

Montego. I agree with you and I am gonna test it. I didnt know changing an avatar was an issue. I hope we get rid of this problem soon. I will check it out.

Edited:

Problem is solved Montego. The problem was that line which was causing avatar breaking. Thanks a lot Montego. Wink

Posted: Thu Sep 24, 2009 1:22 am

Posted: Thu Sep 24, 2009 6:28 am

Fixed for me also, thanks !

I second the RavensScripts

Posted: Thu Sep 24, 2009 5:30 pm

Excellent. I will commit that change to our code repository later tonight.

New Member Joined: Sep 25, 2009 Posts: 4

I'm having the same issue on my website. I just installed your latest RavenNuke, updated my theme and when I go to change the message on the front page of my website (www.eidolon-legion.com) I get that message. (the message, not the news module)

edit:
Its happening when I go to submit news to my website also.

Quote:

CSRF check failed. Please enable cookies.
If the problem persists, please contact the server/website administrator

Posted: Fri Sep 25, 2009 12:54 pm

If the link you provided is still running 2.4 with CSRF active then you have a problem. I do not see the tokens added to any of the forms have you disabled the csrf protection?

Posted: Fri Sep 25, 2009 1:04 pm

I did not even know about CSRF Protection. I just took over the site from a friend, and went ahead and updated it to 2.4 (I did not know the version he was using, so felt it was best to just update).

I completed the update not long ago this morning, changed the theme and then ran into that error.

How do I disable the CSRF Protection? (checking forums and google as you read this most likely)

Posted: Fri Sep 25, 2009 1:42 pm

at the bottom of rnconfig.php

Code:

$disableCSRFChecking = true; // Set to "true" in order to disable Cross-Site Request Forgery (CSRF) attack protection - should ONLY use as a last resort if your environment does not allow for output buffering

Posted: Fri Sep 25, 2009 1:44 pm

Well it would appear that output buffering is not working on your site. Go into your forum admin and you should see a phpinfo tab. Go there and see if output buffering is enabled. Also what version of PHP are you running?

I would advise against it, but if you want to just diable CSRF protection then go into rnconfig.php in the root of the site. Near the bottom you need to set disable CSRF to TRUE.

Posted: Fri Sep 25, 2009 2:04 pm

Check out the rnconfig.php file.

Posted: Fri Sep 25, 2009 2:06 pm

I knew I should of refreshed before posting, got distracted! Laughing

Posted: Sat Sep 26, 2009 1:06 pm

Yes, output buffering is required. Although the following FAQ is for a different error message, the fix is the same:

http://www.ravenphpscripts.com/faq-2-.html#17

Posted: Tue Sep 29, 2009 6:35 pm

Yes I read this forum and it did fix mine as well thank you Raven Scripts! RavensScripts

Posted: Wed Sep 30, 2009 5:03 pm

perfect, problem solved if you stop now Select avatar.
thanks for the help

Worker Joined: Jul 06, 2005 Posts: 172

I applied this fix to my Your_Account/index.php

Now I get this when users try to change avatar:

There was an error when we tried to save your Avatar: Wrong avatar format! Avatars can only be gif, jpg, or png format.

All of the files displayed in the gallery are .jpg and .gif. Any idea what the problem is?

registered · Posted: Wed Nov 18, 2009 3:45 pm

If you are using 2.4 and not 2.4 rc1, you should not need apply this fix. It should work fine as is.

Posted: Wed Nov 18, 2009 4:12 pm

I believe I am using RC1. I'll begin upgrading. Were there any changes in the db from RC1 to release? Or just the files?

Posted: Wed Nov 18, 2009 4:46 pm

Just files