Why are we even checking the token before logging in the user?

I am getting this message when trying to implement aggressive varnish caching:

"Sorry, logging in from a different domain is not permitted. Please try again."

I have also noticed other users getting an error message under some cases:


And the thought occurs to me: why is it even necessary to validate the token for the user login?  If the username and password is correct why should elgg not just log the user in to the given site?  I am very green to Elgg's internals but I thought I would ask this as I cannot come up with a logical reason.  It seems almost an unecessary complication to me.  Under what case would you *not* want to log the user in assuming the username and password posted were correct?

I'm sure there is probably something simple I am missing. :)

Thank you.


  • @CX, thanks that looks like a slightly cleaner way to do it.  I completely missed that and should have seen it before. :/

    @Paweł Sroka, Thanks I just spent an hour reading 90% of the paper referenced and I think I'm better educated now for it.  I'm still fuzzy on tokens and Elgg's exact implementation so I will have to read up more on that. :)

    After reading that paper and seeing their suggestion for using strict Referer header control, why we don't also check in action_gatekeeper() whether or not the HTTP REFERER contains the value of our current domain and then still allow the login to proceed if either (or both) of the REFERER check or token validation checks out?  Based on the paper referenced it seems HTTP REFERER is fairly reliable for preventing CSRF attacks, where it is present (the problem for using it as the main defense is that some clients or networks strip it for privacy reasons).  This way in the event of something unusual happening the REFERER can be used to still allow the login while still providing the same protection against a csrf login attack (assuming what is being done now is helping).

Beginning Developers

Beginning Developers

This space is for newcomers, who wish to build a new plugin or to customize an existing one to their liking