[RFC] Modifying the confirm box system

Note: We are moving the topics of this forum and it will be deleted at some point

Publish your own request for comments/change or patches for the next version of phpBB. Discuss the contributions and proposals of others. Upcoming releases are 3.2/Rhea and 3.3.
Post Reply
User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

[RFC] Modifying the confirm box system

Post by EXreaction » Sat Jul 24, 2010 4:26 pm

Reason
Confirm box only works for the very last task you opened it with, so opening multiple pages with confirm boxes (such as attempting to delete a few things at one time) causes a number of problems. On some pages it gives completely random error messages, such as "Sorry but you may only delete posts which have not been replied to." or "Sorry but you can only delete your own posts." when the messages are not true.

How it could be fixed
Do not regenerate tokens for every action (just regularly).
  • This method is probably the easiest, but would not be quite as secure
Use a separate table to store the tokens
  • The most work, but there should be no loss in security

User avatar
igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC] Modifying the form token system

Post by igorw » Sat Jul 31, 2010 10:06 pm

The token as generated by add_form_key is actually not stored in any table. It uses the SID and a user-specific random salt.

Code: Select all

$now = time();
$token_sid = ($user->data['user_id'] == ANONYMOUS && !empty($config['form_token_sid_guests'])) ? $user->session_id : '';
$token = sha1($now . $user->data['user_form_salt'] . $form_name . $token_sid);
The deciding factor here is the time span which a form is active for. This value is stored in $config['form_token_lifetime'] and is configurable in the security settings of the ACP under "maximum time to submit forms".

The above applies to add_form_key and check_form_key. If you meant confirm_box, please be more specific. :)

User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: [RFC] Modifying the form token system

Post by EXreaction » Sat Jul 31, 2010 10:59 pm

Hmm, I appear to have mixed up a few things when I wrote this.

Yes, the confirm_box is the problem (corrected the first post)

User avatar
igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC] Modifying the confirm box system

Post by igorw » Sun Aug 01, 2010 9:20 am

Ah, I agree that this greatly hurts usability. Option A would probably be best implemented using add_form_key.

A third alternative would be to use AJAX with a JS modal, forcing the user to confirm right away and making the whole experience faster.

Post Reply