Question about Security Token

**BlessIsaacola** · 8 Aug 2013, 04:42 PM

I am wondering if anyone can assist me to figure out how to access the security token that is now part of Zen Cart. Here is my situation:

Go to: http://www.clevershoppers.com/index....ducts_id=50789
Search for John below the description
Select John from the result
Click on Buy Now (Don't worry, you're not placing an order for anything)
Complete the personalization and Click on Add to Cart

When you add to cart (if you're logged in you will get this error message):

Whoops! Sorry, but you are not allowed to perform the action requested.
You are still logged in to your account and may continue shopping. Please choose a destination from a menu.

When you add to cart (if you're not logged in you will get this error message):

Whoops! Your session has expired.

If you were placing an order, please login and your shopping cart will be restored. You may then go back to the checkout and complete your final purchases.

If you had completed an order and wish to review it, please go to your My Account page to view your order.

In either case it appears there's an issue with the security token. That page uses an iframe that's configured like this:

Code:

<iframe src="http://315.iframe.mediak.com?_products=104&_autopickprod=1&_showcd=0" frameborder="0" width="625" height="600"></iframe>

I need to somehow reconfigure this to pass the security token and I am not sure how to configure the url differently or where to get the security token from.
I am thinking of something like this:

Code:

<iframe (...) src="http://315.iframe.mediak.com?_products=104&_autopickprod=1&_showcd=0&__securityToken=$zencart_security_token"></iframe>

I don't know where you get $zencart_security_token from, I assume there is an api for that somewhere.

Thanks.

**DrByte** · 8 Aug 2013, 05:02 PM

The security token is built within Zen Cart and stored in the $_SESSION and is automatically inserted into any Zen Cart generated <FORM> element when you use the zen_draw_form() function.

If you are building your own <FORM> outside of Zen Cart (such as your iframe), you won't have access to that value, and thus cannot pass it.

That's actually why the token exists: to prevent manipulation of the site by external pages, since that's how security attacks can cause trouble.

If your custom page in your iframe is actually loading Zen Cart (ie: include(application_top.php) ) then you'll have the ability to use the zen_draw_form() function when building the <FORM> element on your custom page.

**BlessIsaacola** · 8 Aug 2013, 05:06 PM

Thank you so much DrByte for the prompt response. I will contact the company responsible for the iframe to see if there's an alternative approach.

**dbltoe** · 8 Aug 2013, 10:51 PM

Looks like you got it going. Care to share the fix?

**BlessIsaacola** · 9 Aug 2013, 12:18 AM

Originally Posted by dbltoe

Looks like you got it going. Care to share the fix?

I modified our custom template to handle the security token. If you're not currently using a custom product_type the solution will not be useful. If you don't mind me asking do you have a unique situation similar to ours? I just want to make sure I don't create confusion for others by posting the changes.