1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed styleid URLs require token?

Discussion in 'Resolved Bug Reports' started by Jake Bunce, Nov 20, 2010.

  1. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

  2. Brogan

    Brogan XenForo Moderator Staff Member

  3. Russ

    Russ Well-Known Member

    Whats the correct way for users logged in? I know the style chooser is there for a reason but I'm working on something else that may need manual links to other styles logged in/out.
     
  4. Mike

    Mike XenForo Developer Staff Member

    This is entirely intentional - anything that changes the user state shouldn't be available via GET, unless it's protected by a user-specific token. It's effectively a CSRF issue.

    I'm not sure what the best option is.
     
  5. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    Oh I didn't realize it changes the user preference. I am used to vB where it writes a browser cookie.
     
  6. Mike

    Mike XenForo Developer Staff Member

    Either way, it significantly changes what the user may see - and as a GET request, it could be embedded as an image, which would be really confusing.
     
    Jake Bunce likes this.
  7. Mike

    Mike XenForo Developer Staff Member

    This doesn't error any more, and acts as a confirmation page instead.
     
    Jake Bunce, Luke F and Russ like this.
  8. kingston

    kingston Well-Known Member

    Is there any way for us to mod the page so it auto accepts the style? (and in our part accepting the inherrent risk?)
     
  9. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    Yes it's possible. That would be a Development Question or Add-on Request.
     
  10. kingston

    kingston Well-Known Member

    That may have been a bit tongue in cheek. I just funded three big add-ons (IMO). Trophy Promotions, Mass Alerts, and Duplicate IP check for multiple users.
     

Share This Page