Support us on Patreon to keep GamingOnLinux alive. This ensures all of our main content remains free for everyone. Just good, fresh content! Alternatively, you can donate through PayPal. You can also buy games using our partner links for GOG and Humble Store.
Security token not set.
Page: 1/2»
  Go to:
SysGhost May 31, 2021
I try to edit my profile on https://www.gamingonlinux.com/usercp.php .
I edit relevant fields, and when I hit the "Update" button, it returns me an error:
"Security token not set! If this is a legitimate request, please report the bug."

I tried clearing the cache, cookies and different browsers as well as relogging.
Same error either way.
This topic has an answer marked - jump to answer.
Liam Dawe May 31, 2021
Sorry about that! Rolled out some new security and missed one bit there. Solved.

Thank you for the report!
Purple Library Guy Aug 7, 2021
I'm finding something possibly related. Sometimes when I try to do a reply (never an original post, always a reply to someone) a little popup says "Sorry, your account security token was either not set or invalid. If this was a legitimate post attempt, please report the bug."
This has happened on both my desktop and laptop computer. If I reload the page it's OK.
Arehandoro Aug 7, 2021
Quoting: Purple Library GuyI'm finding something possibly related. Sometimes when I try to do a reply (never an original post, always a reply to someone) a little popup says "Sorry, your account security token was either not set or invalid. If this was a legitimate post attempt, please report the bug."
This has happened on both my desktop and laptop computer. If I reload the page it's OK.

Experienced the same thing the other day too.
Liam Dawe Aug 7, 2021
How long were you on the page when it happens?
tuubi Aug 7, 2021
I assume this is about CSRF tokens? You shouldn't worry about having them last too long. You'll get most of the protection even if they last until the end of the session, and that's how they mostly seem to be used in the real world.
Liam Dawe Aug 7, 2021
Quoting: tuubiI assume this is about CSRF tokens? You shouldn't worry about having them last too long. You'll get most of the protection even if they last until the end of the session, and that's how they mostly seem to be used in the real world.
Well it's concerning since it seems it's failing for a few people. Which is one of two things either it's not being set properly or people sat on the page for too long and it timed out. Hmmmm.
tuubi Aug 7, 2021
Quoting: Liam Dawe
Quoting: tuubiI assume this is about CSRF tokens? You shouldn't worry about having them last too long. You'll get most of the protection even if they last until the end of the session, and that's how they mostly seem to be used in the real world.
Well it's concerning since it seems it's failing for a few people. Which is one of two things either it's not being set properly or people sat on the page for too long and it timed out. Hmmmm.
Yeah that's what I was thinking. My suggestion was to avoid the latter problem by simply using a persistent token for each user session or at least giving the tokens a very generous lifetime. They're not access tokens so lifetime isn't critical.
Liam Dawe Aug 7, 2021
Quoting: tuubiYeah that's what I was thinking. My suggestion was to avoid the latter problem by simply using a persistent token for each user session or at least giving the tokens a very generous lifetime. They're not access tokens so lifetime isn't critical.
Currently it's just set in the session, so it times out with the session. Any thoughts on the best way around that other than extending session times?
tuubi Aug 7, 2021
Quoting: Liam Dawe
Quoting: tuubiYeah that's what I was thinking. My suggestion was to avoid the latter problem by simply using a persistent token for each user session or at least giving the tokens a very generous lifetime. They're not access tokens so lifetime isn't critical.
Currently it's just set in the session, so it times out with the session. Any thoughts on the best way around that other than extending session times?
Ah. I don't really see a good way to get around this if the user takes long enough to type their reply that their session is already gone when they submit the form. I guess they might load a bunch of articles in tabs and only get around to actually reading them and commenting a few hours later. Maybe... add the token on demand when the user actually starts to comment/reply instead of when they load the articles or threads?
Liam Dawe Aug 7, 2021
Quoting: Purple Library GuySorry, your account security token was either not set or invalid. If this was a legitimate post attempt, please report the bug.
This gave me an idea. It used the same error for two possible issues, so I've given them separate error messages. So now we can see if it's not being set somewhere or if it's a case of it timing out. That should give me a good point to start from when it happens again.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register


Or login with...
Sign in with Steam Sign in with Google
Social logins require cookies to stay logged in.