2018-07-24, 01:34 PM
(This post was last modified: 2020-06-19, 03:42 PM by JordanMussi. Edited 1 time in total.)
MyBB 1.8.16 introduces some crucial changes aimed towards better security regarding users authentication. Templates containing login forms must be updated in order to comply with these changes; otherwise, you will stumble upon the following error:
If you have upgraded to 1.8.16 or above, please read the following instructions carefully.
Templates requiring changes:
You will need to apply the changes for these templates to each theme on your board.
Navigate to Admin CP -> Templates & Style -> Templates
Then for each template set go through the following process ensuring you do it for each of the templates in bold above:
For each template:
Either:
It's that simple. Your users will now be able to login again. my_post_key input is in fact now mandatory to be sent alongside other form parameters in order to protect your users and reduce potential malicious attacks.
The upgrade script will attempt to fix some templates that have not been customised from the "MyBB Master Style" and will handle the change automatically. This guide is aimed at all who have custom themes with these templates altered.
Still facing the issue?
If you have gone through the steps above, or the inputs are already in the correct place follow these additional steps.
If you are using a reverse proxy service, for example Cloudflare
Ensure that the IP of your visitors is being correctly set by either:
If you are running multiple boards on the same domain
Ensure you have different cookie prefixes for both boards to avoid any conflicts between them.
If you are using a cache solution between your board and visitor
Ensure that the cache for non-static assets is bypassed when the MyBB
Quote:Authorization code mismatch. Are you accessing this function correctly? Please go back and try again.
If you have upgraded to 1.8.16 or above, please read the following instructions carefully.
Templates requiring changes:
- error_nopermission
- header_welcomeblock_guest
- member_login
- portal_welcome_guesttext
You will need to apply the changes for these templates to each theme on your board.
Navigate to Admin CP -> Templates & Style -> Templates
Then for each template set go through the following process ensuring you do it for each of the templates in bold above:
For each template:
Either:
- Select Options -> Revert to Original (but you will lose custom styling in this template); or
- Open & edit the template and follow the rest of the steps
- Locate the
<form>
tag
Look through the template's code and find where the opening form tag is, for example:<form method="post" action="{$mybb->settings['bburl']}/member.php">
- Add the missing
<input>
element
Add the following code after the<form>
tag if it is not already there:<input name="my_post_key" type="hidden" value="{$mybb->post_code}" />
- Choose Save and Return to Listing
Repeat the process for the other templates.
- Locate the
It's that simple. Your users will now be able to login again. my_post_key input is in fact now mandatory to be sent alongside other form parameters in order to protect your users and reduce potential malicious attacks.
The upgrade script will attempt to fix some templates that have not been customised from the "MyBB Master Style" and will handle the change automatically. This guide is aimed at all who have custom themes with these templates altered.
Still facing the issue?
If you have gone through the steps above, or the inputs are already in the correct place follow these additional steps.
If you are using a reverse proxy service, for example Cloudflare
Ensure that the IP of your visitors is being correctly set by either:
- configure overwriting the
REMOTE_ADDR
variable in your webserver config usingX-Forwarded-For
orCF-Connecting-IP
; or
- enable the following setting: Admin CP -> Configuration -> Settings -> Server and Optimization Options -> Scrutinize User's IP address?
If you are running multiple boards on the same domain
Ensure you have different cookie prefixes for both boards to avoid any conflicts between them.
If you are using a cache solution between your board and visitor
Ensure that the cache for non-static assets is bypassed when the MyBB
sid
cookie is set, or only enable caching for static assets like .js
, .png
etc