#5889 - CSRF tokens broken
0 guests and 0 members have recently viewed this.
Leader-board Top Weekly Earners
The top 3 point earners from 30th Nov 2025 to 7th Dec 2025.
| Gabri |
|
 |
|---|---|---|
| PDStig |
|
  |
| Adam Edington |
|
 |
Coming soon…
There are no events at this time
Statistics
| Forum statistics: | Birthdays: |
|---|
The recent release of 10.0.49 broke CSRF tokens for AJAX requests (such as rating content and changing your password).
This is because Composr was using your Session ID cookie as the CSRF token, retrieved via JavaScript. This can no longer be done due to the new strict security (HttpOnly) on session cookies.
This patch adds a new hidden input field on every page containing the CSRF token, which can be retrieved via JavaScript, unlike a session cookie.
This patch also deprecates the JavaScript function get_session_id() (it now throws a console error). This can no longer be used due to the new cookie security settings. And there are no secure workarounds for this. As a consequence, keep_stub() will NOT include your session via keep_session anymore unless it already exists in the URL.
After applying this patch, you will need to edit all your themes GLOBAL_HTML_WRAP and GLOBAL_HTML_WRAP_* files and add the following to the bottom just before </body>:
<input type="hidden" id="g-post-tkn" value="{$CSRF_TOKEN}">
Then clear your template and block caches.
If you don't, then you will still get token errors.