Weekly Support Recap #4

Fourth time in a row, weekly support recap presents: www vs. non-www domain; POST vs. GET method; CSFR error. Let us know if you have any issues and we will help!

WWW vs. non-WWW domain

Our community member magicnetworks asks on IRC how to make a website to be accessed only with or without www. Unfortunately, non of us were fast enough to give an answer straight away. So we are highlighting this topic here.

The easiest solution is to add two lines to your .htaccess file that redirect from www to non-www version of your website. Add these lines just before </IfModule>

RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

POST vs GET method

POST and GET methods are often used randomly depending on intuition but not fundamental rules. Apparently, there are strict rules. 

POST has to be used when you are posting information to the server or executing an action (adding record, deleting record, updating record, etc.). GET has to be used to get information from the server. That's why you can easily use back button in the browser when your history holds only GET methods. But when you face POST method in your navigation history, browser asks if you want to re-do the action. Because POST means making an action, and you certainly want to avoid that happening while clicking back button.

Thats why securityToken is meaningful only in POST methods. GET can't be used to harm. It's just accessing the data, but not changing it.

CSRF error "Pass correct security token"

dojoVader on IRC channel asked how to deal with security token error. Later he found the solution himself, but we decided to highlight this issue in case more users face this. 

"Incorrect security token" means that you send some data to the server using POST method and don't pass securityToken variable alongside other variables. This security token is needed to prevent CSRF attacks. You don't have to dig deep to understand everything behind it. Just add securityToken variable and don't worry.

Default ImpressPages forms add securityToken field by default. So if you are getting this error, you are probably using your own custom form generation method or AJAX. In that case, use the following method to get correct securityToken value and add it to the form:

PHP: ipSecurityToken()

JavaScript: ip.securityToken

If you need to execute POST method and you want to skip CSRF check, use PublicController

Post your questions on Stackoverflow, IRC chat,
GitHub repository or contact directly. 

See previous posts: 

comments powered by Disqus