Jump to content

Setting up courier rates. Too many "Possible Cross-Site Request Forgery (CSRF)." alerts


cubicsquare
 Share

Recommended Posts

Hi there,

I'm trying to set up courier rates but keep having all my input undone when l save it and end up with the following alert:

"Security Alert: Possible Cross-Site Request Forgery (CSRF). Please do not use multiple tabs/windows or the browser back button. Learn more."

 

Even when l have just one tab open. Even when l log out, log back in. Even when l restart computer.

It's preventing me from inputting courier rates via the All-in-One Shipping extension (which l otherwise love btw).

 

Link to comment
Share on other sites

I think that happens when the security token, included as one of all the form's submitted elements, does not get seen by CubeCart.

This can happen if there are many, many, many data items being saved. It is known that when the AIOS module adds another shipping zone, and adds more shipping rules per zone, the number of form elements that gets POSTed increases exponentially.

Thus, eventually the number of form element data items in POST hits a 1000 count limit (imposed by PHP).

Please see the following issues in the Github:

https://github.com/cubecart/v6/issues/1550
https://github.com/cubecart/v6/issues/1500
https://github.com/cubecart/v6/issues/2391
https://github.com/cubecart/v6/issues/365

 

Link to comment
Share on other sites

Thanks guys. Is there any workaround l can implement as a mere end user? I was hoping for something l could tweak directly, as Al Brookbanks suggested. However l don't know how to do that specific tweak, and it looks like a database tweak, which creeps me out. Do you have a foolproof step by step guide to do it?

Link to comment
Share on other sites

The PHP setting 'max_input_vars' can be easily set by the user in either of two places: the .htaccess file, or a special .user.php file.

I do not know if any web server other than Apache will honor a PHP directive in the .htaccess file, but to do this:

Using a programmer's text editor, add the following statement at the end of the file:

 php_value max_input_vars 25000 

If your hosting provider offers you a control panel to manage your site, there will be a File Manager, and within that tool will be a means to edit files.

To see if the directive was honored by the web server and thus instructed PHP to use this value, in admin, PHP Info (bottom of the Nav panel), scroll to the Core table and note the value for 'max_input_vars'.

Link to comment
Share on other sites

Just now, bsmither said:

The PHP setting 'max_input_vars' can be easily set by the user in either of two places: the .htaccess file, or a special .user.php file.

I do not know if any web server other than Apache will honor a PHP directive in the .htaccess file, but to do this:

Using a programmer's text editor, add the following statement at the end of the file:

 php_value max_input_vars 25000 

If your hosting provider offers you a control panel to manage your site, there will be a File Manager, and within that tool will be a means to edit files.

To see if the directive was honored by the web server and thus instructed PHP to use this value, in admin, PHP Info (bottom of the Nav panel), scroll to the Core table and note the value for 'max_input_vars'.

Can it? Not all hosts allow these settings to be changed. Worth a go though. 🤞

Link to comment
Share on other sites

Then either your Apache web server is not controlling PHP, or your site is using a web server that is something other than Apache.

Therefore, remove that statement from .htaccess.

Instead, let's try this: create a new file named .user.php (note the first character is a period) in the same main folder as CubeCart's index.php file, and its contents will be:

max_input_vars = 25000

 

Link to comment
Share on other sites

In CubeCart's administration, the left side panel has a stack of links that will take you to various administrative screens to perform administrative tasks.

At the bottom of CubeCart's admin navigation panel is PHP Info. Click on this link.

You will now see a series of tables that reveal many settings that PHP is operating under.

 

Edited by bsmither
Link to comment
Share on other sites

Hi there, thanks, l just changed the name to .user.ini and it appears to be working. The Core table gives the Max. Input Vars as:

Local: 25,000

Master: 1,000

 

I guess it worked then? :)

 

Am i okay to leave it like this or would i be better off removing this .user.ini file once l'm done updating postage rates?

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...