Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2014-12-04 22:28:14

marioxcc
Member
Registered: 2014-12-04
Posts: 5

Disable referer verification.

Hello. How can I disable referer verification in FluxBB 1.5.7 so that no action is denied for users who don't send the "Referer" HTTP header?.

Regards and thanks in advance.

Offline

#2 2014-12-05 08:16:47

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 906
Website

Re: Disable referer verification.

Not too sure why you'd want to do this, it's never triggered for me before (or any of my users) - but you'll have to find every occurrence of confirm_referrer('x'); and remove it from the code.

Offline

#3 2014-12-06 00:26:12

marioxcc
Member
Registered: 2014-12-04
Posts: 5

Re: Disable referer verification.

The error page appears when I try to submit a thread or message as administrator: it says:

Bad HTTP_REFERER. You were referred to this page from an unauthorized source. If the problem persists please make sure that 'Base URL' is correctly set in Admin/Options and that you are visiting the forum by navigating to that URL. More information regarding the referrer check can be found in the FluxBB documentation.

The documentation says:

When a script in FluxBB receives form data, it checks the CGI variable HTTP_REFERER (misspelled in the HTTP standard) to make sure that the form was submitted from the correct script. The check is only made for administrators and moderators. The referrer check is a security mechanism that prevents malicious users from deceiving administrators and moderators by silently and invisibly submitting a form from an external page to one of the scripts in FluxBB.

.

HTTP headers are trivial to spoof for malicious users, and relying on them for security can only give a false sense of it. This anti-feature belongs to the time when SSH didn't exist and passwords were sent in the clear through Internet. Also, the functionality shouldn't rely on the HTTP referrer; FluxBB should not require users to enable the HTTP referrer in their browser; as that imposes a hassle on users who don't want to make it easier for the world wide web to track them. Right now I had to enable them for this forum to post messages here. Please seriously consider removing this anti-feature from the mainstream version. I'm still evaluating which forum to use for my web site, and this anti-feature of FluxBB doesn't helps it.

Thanks you for developing and releasing FluxBB as free sofrware. That's how all software must be, and it means that I have the freedom to remove this anti-feature by myself, through it represent extra hassle and I'm not sure it's justified in my case, as there is forum software that is clean of it, though it may have its own additional problems.

Regards.

Offline

#4 2014-12-06 03:20:32

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 960

Re: Disable referer verification.

functions.php file.
Replace confirm_referrer() function ->

function confirm_referrer($scripts, $error_msg = false)
{
}

My modification of FluxBB 1.5.8 - rev.67
I speak only Russian  tongue

Offline

#5 2014-12-06 11:26:41

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,047
Website

Re: Disable referer verification.

This feature will definitely be gone in the next major version; because you are right, it is not reliable.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#6 2014-12-06 11:31:52

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 906
Website

Offline

#7 2014-12-06 11:32:50

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,047
Website

Re: Disable referer verification.

Yes, tokens.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#8 2014-12-06 20:29:33

marioxcc
Member
Registered: 2014-12-04
Posts: 5

Re: Disable referer verification.

Ok. Thanks you.

Offline

Board footer

Powered by FluxBB 1.5.8