Join us on our own very special Reddit on /r/Linuxers.
Security token not set.
Page: 1/2»
  Go to:
SysGhost 31 May
I try to edit my profile on https://www.gamingonlinux.com/usercp.php .
I edit relevant fields, and when I hit the "Update" button, it returns me an error:
"Security token not set! If this is a legitimate request, please report the bug."

I tried clearing the cache, cookies and different browsers as well as relogging.
Same error either way.
This topic has an answer marked - jump to answer.
Liam Dawe 31 May
Sorry about that! Rolled out some new security and missed one bit there. Solved.

Thank you for the report!
I'm finding something possibly related. Sometimes when I try to do a reply (never an original post, always a reply to someone) a little popup says "Sorry, your account security token was either not set or invalid. If this was a legitimate post attempt, please report the bug."
This has happened on both my desktop and laptop computer. If I reload the page it's OK.
Quoting: Purple Library GuyI'm finding something possibly related. Sometimes when I try to do a reply (never an original post, always a reply to someone) a little popup says "Sorry, your account security token was either not set or invalid. If this was a legitimate post attempt, please report the bug."
This has happened on both my desktop and laptop computer. If I reload the page it's OK.

Experienced the same thing the other day too.
Liam Dawe 7 Aug
How long were you on the page when it happens?
tuubi 7 Aug
I assume this is about CSRF tokens? You shouldn't worry about having them last too long. You'll get most of the protection even if they last until the end of the session, and that's how they mostly seem to be used in the real world.
Liam Dawe 7 Aug
Quoting: tuubiI assume this is about CSRF tokens? You shouldn't worry about having them last too long. You'll get most of the protection even if they last until the end of the session, and that's how they mostly seem to be used in the real world.
Well it's concerning since it seems it's failing for a few people. Which is one of two things either it's not being set properly or people sat on the page for too long and it timed out. Hmmmm.
tuubi 7 Aug
Quoting: Liam Dawe
Quoting: tuubiI assume this is about CSRF tokens? You shouldn't worry about having them last too long. You'll get most of the protection even if they last until the end of the session, and that's how they mostly seem to be used in the real world.
Well it's concerning since it seems it's failing for a few people. Which is one of two things either it's not being set properly or people sat on the page for too long and it timed out. Hmmmm.
Yeah that's what I was thinking. My suggestion was to avoid the latter problem by simply using a persistent token for each user session or at least giving the tokens a very generous lifetime. They're not access tokens so lifetime isn't critical.
Liam Dawe 7 Aug
Quoting: tuubiYeah that's what I was thinking. My suggestion was to avoid the latter problem by simply using a persistent token for each user session or at least giving the tokens a very generous lifetime. They're not access tokens so lifetime isn't critical.
Currently it's just set in the session, so it times out with the session. Any thoughts on the best way around that other than extending session times?
tuubi 7 Aug
Quoting: Liam Dawe
Quoting: tuubiYeah that's what I was thinking. My suggestion was to avoid the latter problem by simply using a persistent token for each user session or at least giving the tokens a very generous lifetime. They're not access tokens so lifetime isn't critical.
Currently it's just set in the session, so it times out with the session. Any thoughts on the best way around that other than extending session times?
Ah. I don't really see a good way to get around this if the user takes long enough to type their reply that their session is already gone when they submit the form. I guess they might load a bunch of articles in tabs and only get around to actually reading them and commenting a few hours later. Maybe... add the token on demand when the user actually starts to comment/reply instead of when they load the articles or threads?
Liam Dawe 7 Aug
Quoting: Purple Library GuySorry, your account security token was either not set or invalid. If this was a legitimate post attempt, please report the bug.
This gave me an idea. It used the same error for two possible issues, so I've given them separate error messages. So now we can see if it's not being set somewhere or if it's a case of it timing out. That should give me a good point to start from when it happens again.
While you're here, please consider supporting GamingOnLinux on:

Patreon, Liberapay or PayPal Donation.

This ensures all of our main content remains totally free for everyone with no article paywalls. We also don't have tons of adverts, there's also no tracking and we respect your privacy. Just good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register

Or login with...
Sign in with Steam Sign in with Twitter Sign in with Google
Social logins require cookies to stay logged in.