Customers cannot login using my custom login box

[pb4]

I have a site here

I am unable to login as a customer. I have been working on the site on and off and so I may have accidently done something but not sure what Or how long this has been like this. It was a paypal error that alerted me to this issue. (There is/was currently a paypal API status error affecting Paypal Express checkout)

I have been through the forum and tried lots of things but I still get - 'There was a security error when trying to login..'

I am using Zen cart - v1.3.9c

What should I do? check?

Thanks

[pb4]

I Have now managed to login but I tried a second time (logged out then back in) and it didn't work again!!

Odd! It seems to be a bit random!

[pb4]

Can't login via the login section below the header but then I can login within the main login page...

Any ideas how to sort this?

[kobra]

Any ideas how to sort this?

Can't even see it

Post a link to your install

Provide what browsers you have this issue with and their versions

Also did you check the similar issue threads listed at the bottom of this post??

[pb4]

You can't see it??? The link in my first post works ok for me...

I have tried IE and firefox...I can't login via the login bar at the top below my header...

I have been through loads of threads on the forum and tried lots of things but nothing has solved this issue with the login bar...

Any help?

Thanks

[DrByte]

Your login bar contains a hard-coded securityToken field, which contains a value that's expired. Thus the form will never work.

[pb4]

Thank you DrByte for your reply and looking at this for me...

So what do I need to do to get it to work?

Thanks

[DrByte]

It appears that you simply viewed the raw source of a login form displayed in your browser, and dumped that into your custom login box, instead of using the components from the login template itself, ie: tpl_login_default.php
Thus you're left with permanent values that you've put into the form fields, and they never change. Thus, the form is being rejected because the securityToken is not truly valid. That's exactly what you want, since allowing expired values would leave you vulnerable to XSS risks and other unpleasant security problems.

So, instead of copying raw HTML, copy the relevant PHP code from the real template instead.
In this particular case, you need to replicate the securityToken field. ie: line 50 of tpl_login_default.php as of v1.3.9h

Keep the same issue in mind for future cases when you're tempted to just copy raw HTML without paying attention to the business intelligence behind how that HTML was generated.

[pb4]

Thanks again for your help...

So I need to add this line

Code:

<?php echo zen_draw_hidden_field('securityToken', $_SESSION['securityToken']); ?>

into where and in which file?

Sorry, I'm not quite getting it..

[DrByte]

Whatever <form> element you added to make your custom login box, in whatever file you put that code when you did it.