XF 2.1 Login from outside XF - "Security error occurred. Please press back, refresh the page, and try again."

robart

Member
Hi there,

So we have a modal pop-up on another CMS where we log in the user to XF (and our CMS via a bridge). This worked perfectly on XF 2.0 but when we upgraded to XF 2.1 it's no longer working.

The modal POSTS to xf.domain.com/login/login

We have an XF API end-point to get a proper _xfToken that we insert <input type="hidden"> into the form, and we have inputs for login and password.


Is anyone aware if 2.1 introduced anything that would change this? Any other security precautions that would prevent what worked in 2.0 from working in 2.1?

I know upgrading to 2.2 with the new endpoints can solve this but unfortunately I won't be able to immediately.

Thanks
 
Last edited:
Is anyone aware if 2.1 introduced anything that would change this? Any other security precautions that would prevent what worked in 2.0 from working in 2.1?
Indeed, this was changed for security reasons in 2.1.11:


It's a bit of an edge case, though some browser changes have made it somewhat more easily triggered. However, given that we know there are some legitimate uses (like this), there's a src/config.php option to disable it:

Code:
$config['enableLoginCsrf'] = false;
 
I have the same problem, using the last version of Xenforo. @Mike I have tried your solution, but to me furthermore haven't fixed the issue.
After I add this line to the config, it has worked for a while and then the problem come again. So the login from the home page some moment works and in some other not giving me the same message. This seems that succeed only in the home page connecting by mobile and not from desktop.
Have you some idea or solution?
 
Back
Top Bottom