I have "Require confirmation of an action if a possible CSRF is detected" set on tiki-admin.php?page=security. When I get the warning "Possible cross-site request forgery (CSRF, or "sea surfing") detected. Operation blocked.", and I click the "Click here to confirm your action" button, the same warning page redisplays instead of refreshing to the page where the admin action was made. This repeats as long as I keep clicking.
But the admin change does get made. If I input the admin page URL or go back in browser history to the admin page, I can see the change did take effect.
This is on my local wamp installation, so I'll need to make a show instance unless other people can reproduce this bug.
This error is from the old ask_ticket() / check_ticket() system. By Tiki17 this had been removed. Accordingly I cannot recreate in Tiki 18 or 19. Since there will be no further releases of Tiki16, there is no fix to be committed.
Also, in case this problem really relates to Tiki19, r68724 restored the default of not checking the old ticket system to avoid false anti-CSRF errors.
|No attachments for this item|