QUESTION CSRF detected!

[shawn_a]

Most of that is wrong, this is GSs csrf detection, it has nothing to do with an actual csrf or server or browser interception.
It simply means that the nonce we sent on the page has expired or no longer matches the one we generate, a nonce is not really a nonce in GS since we use stateless sessions, but is calculated based on some predictable stuff. ( a nonce is a use once token, to prevent action replays or hijacks, ours is not really a nonce but a nonce good for 1-2 hours )

$hash=sha1($action.$file.$uid.$USR.$SALT.$time);

If your http user agent changes during it breaks, if your php_self is calculated wrong it breaks, if it expires 1-2 hours, it breaks.


I have an issue to deal with this in a somewhat better manner to at least not lose data.
https://github.com/GetSimpleCMS/GetSimpl...ssues/1014

and there are also some fixes in 3.4 such as settable timeouts etc.

Browsers are good at preserving textareas, but ckeditor and other js stuff is sometimes lost

It might be easier to just turn this off if you encounter it or are rapidly developing or are local and do not care, or have enhanced ip restrictions in apache for example.

in gsconfig.php

# Turn off CSRF protection. Uncomment this if you keep receiving the error message "CSRF error detected..."
#define('GSNOCSRF', TRUE);