[RFC] Modifying the confirm box system

[EXreaction]

Reason
Confirm box only works for the very last task you opened it with, so opening multiple pages with confirm boxes (such as attempting to delete a few things at one time) causes a number of problems. On some pages it gives completely random error messages, such as "Sorry but you may only delete posts which have not been replied to." or "Sorry but you can only delete your own posts." when the messages are not true.

How it could be fixed
Do not regenerate tokens for every action (just regularly).

• This method is probably the easiest, but would not be quite as secure

Use a separate table to store the tokens

• The most work, but there should be no loss in security

[igorw]

The token as generated by add_form_key is actually not stored in any table. It uses the SID and a user-specific random salt.

Code: Select all

$now = time();
$token_sid = ($user->data['user_id'] == ANONYMOUS && !empty($config['form_token_sid_guests'])) ? $user->session_id : '';
$token = sha1($now . $user->data['user_form_salt'] . $form_name . $token_sid);

The deciding factor here is the time span which a form is active for. This value is stored in $config['form_token_lifetime'] and is configurable in the security settings of the ACP under "maximum time to submit forms".

The above applies to add_form_key and check_form_key. If you meant confirm_box, please be more specific.

[EXreaction]

Hmm, I appear to have mixed up a few things when I wrote this.

Yes, the confirm_box is the problem (corrected the first post)

[igorw]

Ah, I agree that this greatly hurts usability. Option A would probably be best implemented using add_form_key.

A third alternative would be to use AJAX with a JS modal, forcing the user to confirm right away and making the whole experience faster.