Sometimes, user would have to press "Go" to login automatically. Which (logically) is annoying. I tracked down the Go button to the code below. Experimentally I removed this code (commented it) and the autologin hack seemed to function perfectly.
Therefore my question: What are the consequences of removing this code? (I'm not a PHP programmer ;))
Quote:
} else {
// confirm if some queries exist (against GET CSRF)
include XOOPS_ROOT_PATH . '/header.php' ;
echo '
<div class="confirmMsg">
<h4>'._LOGIN.'</h4>
<form method="post" action="'.XOOPS_URL.'/user.php?op=login">
<input type="hidden" name="xoops_redirect" value="'.htmlspecialchars( $GLOBALS['xoopsRequestUri'], ENT_QUOTES ).'" />' ;
echo $GLOBALS['xoopsSecurity']->getTokenHTML();
echo '
<input type="submit" name="confirm_submit" value="'._GO.'" />
</form>
</div>';
include XOOPS_ROOT_PATH . '/footer.php' ;
exit ;
}
It is described as comment
If you want to know what is CSRF, use google.
Thanks ;). Silly question indeed.
(link for whoever doesn't know as well)
http://www.squarefree.com/securitytips/web-developers.htmlHopefully a more sensible question:
Would it be possible to have the script redirect automatically, instead of having to press the button manually?
If the script redirect automatically, the feature of anti-CSRF make non-sense.
Learn what is CSRF
I don't want to understand it completely
.
(I do understand it automatically does something for the user when he clicks on an innocent looking link from somewhere else.)
Also, if I understand the discussion on Slashdot correctly, this is something that can be fixed in Xoops. But it'd probably require alot more effort than is worth it for just the extra button.