I do not think this issue is related to EasySocial because if you try to login with the login module from Joomla, you would hit the same issues. Unless of course, the CSRF checks are disabled but that would cause a different issue altogether

Hi Mark,

Yes I'm afraid you're right. This would be the only reason to ever leave Joomla Do you know how other systems like Wordpress are dealing with this issue?

What do you think about making an exception for the easysocial login page and remove the dropdown login? Will that work? And what about the social login?

Regards,
Mark

Hey Gregor,

To be honest, I don't think this is a Joomla issue. Joomla is much more secure by enforcing CSRF tokens. I think even with Wordpress, you may hit the same problems unless of course you ignore the CSRF attacks.

However, I am wondering if CSRF token checks is really required for authentication because a CSRF token prevents a remote attacker from performing actions on behalf of the user when they do not have the appropriate tokens.

If the user is not logged in yet, the CSRF tokens are pretty much useless unless someone tries to force the user to login but don't see how that could be vulnerable to the user.

This is how Joomla prevents CSRF attacks, https://docs.joomla.org/How_to_add_CSRF_anti-spoofing_to_forms

P/S: You could learn more about CSRF here, https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Hi Mark,

Thank you for sharing your opinion on this subject. I am not a security expert so I believe these tokens are important. However when it force me to disable an essential and hard needed core functionality like caching it's a real problem. Especially when the popularity/traffic of the site increases. And isn't that a major point of having a website at all? What do you think about my suggestion in the earlier post?

.....making an exception for the easysocial login page and remove the dropdown login? Will that work also with the social login?

Regards,
Mark

Hey Mark,

To be honest, I don't think the browser cache is actually going to massively speed things up. I am not entirely sure how are you benchmarking this but from what I have tested, the initial page load time on the site takes about 1s - 1.2s which is actually fine considering that there are a lot of heavy privacy policies (EasySocial and EasyBlog) involved on the site.

To give you a comparison, your back end login page takes about 1s to render, http://take.ms/tyqEh . Another comparison is your admin template's css file, which also takes about 1s to render, http://take.ms/ObHer . Mind you that these pages does not render anything from EasySocial, or EasyBlog.

Hi Mark,

Thank you for you insights.
Another question: Do you know a developer who can help us (part-time/on demand) if needed. We are looking for someone for continuity, skills and capacity reasons.Knowledge of Easyblog/Easysocial and in-depth knowledge and experience with Joomla. Knowledge of and experience with of Cloudflare would be nice. Please let me know.

Thank you,
Mark

Hey Gregor,

We do provide custom consultation at the rate of $80 up to $120 an hour depending on the number of hours that you commit. Generally, the longer hours you contract us, the price would be cheaper

Hi Mark,

Thank you and that's really good to hear!! We are very happy with your software and services so its good to know we can get your extra support when needed

Thank you,
Mark