After quite a while something form me:
today i tried a fresh installation of CMSimple_XH v. 1.6.4. I changed the default language in config.php to "de" and edited the content.htm to some simple plain html text - just a H1 and a P section.
Then i logged in and tried to reset the password. By saving i obtained an "Invalid CSRF token" error message.
During summer i reinstalled two sites after a server crash. One - www.marga-andres.de - is based on XH 1.6.2. During that install the above procedure worked just fine.
My current workaround was therefore to copy over the config.php of www.marga-andres.de to the new site. I could login and change the password to the one i wanted.
Why does this happen? Is there something wrong with 1.6.4?
Invalid CSRF token in nearly fresh installation
Re: Invalid CSRF token in nearly fresh installation
Since CMSimple_XH 1.6 there is a protection against CSRF attacks built in the core, and apparently the CSRF token could not be stored in the session. This can have several reasons, amongst them one of the included files containing a BOM, or otherwise outputting something (e.g. due to whitespace after the closing ?> at the end of the file).
If the error message occurs again, I suggest you have a look at the system check (Settings -> Info -> System Check); the last item reports if there is a BOM. Furthermore you should enable the debug mode (this might report "headers already sent" including the place where the output has been started).
To verify that everything is okay after applying your workaround, it's best to delete all cookies, and to try to save something in CMSimple_XH's back-end. If that works without the error message being shown, fine; otherwise you'll want to go through the procedure noted above.
If the error message occurs again, I suggest you have a look at the system check (Settings -> Info -> System Check); the last item reports if there is a BOM. Furthermore you should enable the debug mode (this might report "headers already sent" including the place where the output has been started).
To verify that everything is okay after applying your workaround, it's best to delete all cookies, and to try to save something in CMSimple_XH's back-end. If that works without the error message being shown, fine; otherwise you'll want to go through the procedure noted above.
Christoph M. Becker – Plugins for CMSimple_XH