Hi,

We re trying to edit the name and description of one of our forums whilst logged into the admin panel.

We get this error message...

Can not proceed: possible CSRF/XSRF attack!

Any advice?
Ben

Make sure your $main_url setting corresponds to the primary URL you enter the forum.
Specially, if the primary URL contains 'www' in it, $main_url also should contain it.
If the primary URL doesn't contain 'www', $main_url should start with 'https://url_to_forum' without 'www.'

I have the same problem online. On developpement server it's ok, but on the production never pass the addnewforum command.
Here, maybe, something helpfull for many: Cookie names cannot contain any of the following '=,; \t\r\n\013\014' in addon_whosonline.php on line 59

My $cookiename='DecouvertePlongeeQuebecoise='; (from setup_options.php) may be too long.

Correction: I was still working on an old cookie.
As my MiniBB is integrated to website, i have to work on line 125 of bb_admin.php which I've renamed. I don't use the MiniBB login system.

To do properly, I have to get into bb_admin.php by submitting a form with admin_usr and admin_psw which form must perform under method=POST
Here the code:
<?php
include_once "DIrectory/MiniBB/setup_options.php";
$_POST["mode"] = "login";
$_POST["adminusr"] = $admin_usr;
$_POST["adminpwd"] = $admin_pwd;
include_once "DIrectory/MiniBB//bb_admin.php";

I worked long, very long before i could find this clue:

setup_options.php must have a
cookiedomain value different than ''
and cookiepath a value = ''

otherwise my browser (opera) negate to record any cookie
Now, my setup_options.php has this about cookies:

$cookiedomain='plongee.rcmission.net';
$cookiename='DecouvPlongQueb';
$cookiepath='';
$cookiesecure=FALSE;
$cookie_expires=108000;
$cookie_renew=1800;
$cookielang_exp=2592000;

the cookiedomain corresponding to the actual domain name used for the website where is the miniBB .

Caution: https is a reserved feature for securised website. If the website has no security controle system, that's for nothing to add the "s" after http.

This is mentioned in miniBB Manual as well. If you want less problems, avoid more tricks. They don't affect security anyway.

If you miniBB is integrated, you should work on bb_cookie.php and optionally bb_func_login.php. Admin's file is also based on these codes.
Guide.

It was just an example; of course if you don't have https connection, there should be 'http://'.

Actually, CSRF/XSRF issue is related to this thing: you should have the same value in $main_url as you're entering the forum from. If it starts with a subdomain, then only subdomain without www should be listed there. It should be absolutely equal to the domain you're entering credentials from. And yes, if you system is tied up with another logins system, you may modify cookie settings so they correspond to the system you're using.