Quoting Andrew Morgan <
morgan@...>:
> How does the CSRF work? Maybe if I understood what was happening I
> could debug it further on my end.
A token is generated for the action being taken (separate tokens for
logout, compose, etc.). It is stored in the session, and also put into
the form data for the action. When the action is submitted, the token
has to be in the user's session and not expired.
The relevant code for your version is in imp/lib/IMP.php, in
getRequestToken and checkRequestToken.
Looking there now, it looks like the FW3/IMP implementation uses
seconds, not minutes, so you might check that. HOWEVER - the error
message your user is getting indicates that the token isn't in their
session at all, not that it has timed out. That's why I asked about
external auth or potential session resets.
-chuck
--
Horde mailing list - Join the hunt:
http://horde.org/bounties/#hordeFrequently Asked Questions:
http://horde.org/faq/To unsubscribe, mail:
horde-unsubscribe@...
