Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

CSRF verification failed - invalid token received

Options
  • 03-01-2015 1:22am
    #1
    kissmequick
    Closed Accounts Posts: 1,065 ✭✭✭


    I started a Thread in the Talk to... Three Forum there and when I posted it, "CSRF verification failed - invalid token received" came up. I had a really long post written too. Kindly retrieve it and post this Thread at your earliest convenience as I didn't waste my time writing it for a laugh.


Comments

  • Options
    #2
    Muppet Man
    Registered Users Posts: 1,650 ✭✭✭Muppet Man


    Got the same error when I tried to log in with an ipad in boards.


  • Options
    #3
    kissmequick
    Closed Accounts Posts: 1,065 ✭✭✭kissmequick


    I know, I had a huge big post written too like, it was quite annoying. :/ Oh well.


  • Options
    #4
    Boards.ie: Niamh
    Boards.ie Employee Posts: 12,597 ✭✭✭✭✭Boards.ie: Niamh
    Boards.ie Community Manager


    Sorry, we cannot retrieve posts, there are no drafts saved. The 'Post Reply' page will time out after a certain amount of time (10 minutes I think) so if writing a very long reply to something, it's best to do it elsewhere and then copy and paste it into a new reply.

    How can I? User's guide to some features on the new site



  • Options
    #5
    Harly
    Registered Users Posts: 5 Harly


    oh, damn

    I just wasted 30 minutes on my long post, only for it to fail with: CSRF verification failed - invalid token received (timeout?)

    well done!


  • Options
    #6
    Boards.ie: Mark
    Boards.ie Employee Posts: 5,461 ✭✭✭✭✭Boards.ie: Mark
    Boards.ie Employee


    Hi Harly,

    Sorry for the inconvenience and disruption. The CSRF token only lives for so long - we don't have an exact number of minutes, but we imagine that 30mins would be close to or over the limit.

    How can I? User's guide to some features on the new site



  • Advertisement
  • Options
    #7
    Harly
    Registered Users Posts: 5 Harly


    Boards.ie: Mark wrote: »
    Hi Harly,

    Sorry for the inconvenience and disruption. The CSRF token only lives for so long - we don't have an exact number of minutes, but we imagine that 30mins would be close to or over the limit.

    Wow, this sounds really strange to me. I lost a very long and detailed post about an issue that I wanted to post to Virgin Media's section here.

    But you guys really blow me away with such implementation.

    The main point of a CSRF token is that it can't have been sent from another site. So therefore it (a) can't be predicted or detected by an attacker, and (b) is not automatically attached to a request the way a cookie is.

    So theoretically if a CSRF token is never disclosed to third parties, again theoretically, you don't have to expire them at all. But then you run the risk of your token getting "leaked" somehow. So your expiry period really should be short enough to combat the prospect of a token getting out and being used against your user.

    There aren't really any guidelines, but a good solid techique is to auto-generate a new token on EVERY request which embeds a signed timecode, and then accept tokens up to a certain age.

    A sample function might be:

    concat(current_time,salt,sha256_sum(concat(salt,userid,current_time,secret_string)))
    The token contains timing information and a salt, but also contains a signature which can't be forged and which is tied to the userid.

    Then you can define your own expiry interval -- an hour, a day, 2 hours. Whatever. The interval in this case isn't tied to the token, so you're free to set expiry rules however you want to.

    At the very least, though, CSRF tokens should expire when the login session expires or when the user logs out. There's no expectation by the user that a form that you brought up BEFORE you logged out will continue to work AFTER you log back in again.

    ---
    All I'm saying that 30 minutes is way too low. And if you really want to carry on with this nonsense, please put a countdown timer next to the post form, so nobody would lose their posts again.
    But who am I to even suggest you'd reconsider your CSRF token implementation here? I'm just a guy with 20 years of IT experience...

    Oh and while we're on the boards.ie subject here, I wanted to report that on Android neither of the following let me log in with Google Account: touch<dot>boards.ie, Android app v1 or Android app v2

    in fact on Android the situation is even worse because the app just crashes without even dispaying a single error...


  • Options
    #8
    Harly
    Registered Users Posts: 5 Harly


    Also I wanted to report that when trying to log in with Facebook link on computer, it's giving me an error saying that the app hasn't been properly set up.


Leave a Comment

Rich Text Editor. To edit a paragraph's style, hit tab to get to the paragraph menu. From there you will be able to pick one style. Nothing defaults to paragraph. An inline formatting menu will show up when you select text. Hit tab to get into that menu. Some elements, such as rich link embeds, images, loading indicators, and error messages may get inserted into the editor. You may navigate to these using the arrow keys inside of the editor and delete them with the delete or backspace key.

Comment As ...
Advertisement