Problem:
You’ve got a link to your VTiger installation from another domain, but any time you open it, you get an Illegal request
error message, even though you are logged in correctly.
Solution:
The reason for this error message is that vtiger validates the Referer (i.e. source URL of the request) as a protection layer against certain security issues, for example CSRF (cross-site request forgery). We will disable the referer check. Be sure to understand the implications before you do as suggested.
Disabling involves only editing a single code line. I tested this with VTiger 6.5.0, but likely only minor adjustments have to be made for other versions.
Steps to fix:
- Open
<your vtiger directory>/includes/http/Request.php
in a text editor - In the editor. search for Illegal request. You will see a code block like this:
protected function validateReferer() { $user= vglobal('current_user'); // Referer check if present - to over come if (isset($_SERVER['HTTP_REFERER']) && $user) {//Check for user post authentication. global $site_URL; if ((stripos($_SERVER['HTTP_REFERER'], $site_URL) !== 0) && ($this->get('module') != 'Install')) { throw new Exception('Illegal request'); } } return true; }
- Comment out
throw new Exception('Illegal request');
with//
(results in//throw new Exception('Illegal request');
) - The code block should now look like this:
protected function validateReferer() { $user= vglobal('current_user'); // Referer check if present - to over come if (isset($_SERVER['HTTP_REFERER']) && $user) {//Check for user post authentication. global $site_URL; if ((stripos($_SERVER['HTTP_REFERER'], $site_URL) !== 0) && ($this->get('module') != 'Install')) { //throw new Exception('Illegal request'); } } return true; }
- Save the file
- The fix should be in effect immediately, else restart your webserver.