expired token

Good morning @hellodracon,

I hope you are well.

I have had a look at the website link you provided, and I can only see an “Inquire” button which opens a price request form. From what I can see, that form appears to be managed by Contact Form 7.

Could you please confirm whether the issue is related to the WooCommerce integration or the Contact Form 7 integration?

If the issue is with WooCommerce, could you also confirm whether you are using the classic checkout or the block checkout?

Could you also let me know whether you are using the Auto-Inject option or adding it manually via shortcode?

Once I have those details, I will look into this further and provide a fix as soon as possible.

Best regards, Carl @kitgenix

Good morning @hellodracon,

Thank you for confirming those details.

I have placed a test order under the name “Kitgenix Test” using the bank transfer payment method, and the order appears to have gone through successfully from my side.

Could you please confirm whether you currently have Warn Only enabled in the plugin settings?

Cloudflare Turnstile tokens are valid for 300 seconds / 5 minutes and are also single-use. Our plugin includes token refresh handling to help prevent expired-token issues, but I would like to rule out whether this is related to the checkout page sitting open for a period of time before the order is submitted.

Could you also let me know the exact behaviour you are seeing? For example:

• Is the order being blocked incorrectly?
• Is the order going through when you expected it to be blocked?
• Are you seeing a specific error message at checkout?

Please avoid posting any secret keys or sensitive customer/order details here. A screenshot of the checkout error, if there is one, would be helpful.

I will review this integration path in the meantime and provide a fix as soon as I can if there is an issue there.

Best regards, Carl @kitgenix

• This reply was modified 1 week, 4 days ago by Carl C.

Good afternoon @hellodracon,

Thank you for confirming.

Yes, please disable Warn Only and I will place another test order from my side using the bank transfer payment method.

Based on the error message you are seeing, this does sound like the Turnstile token is expiring before WooCommerce completes the checkout request. Although Cloudflare Turnstile tokens are valid for up to 300 seconds, I am going to adjust the plugin’s token refresh timing so it refreshes slightly before the 300-second expiry window.

This should help ensure the token does not reach the full expiry point before the order is submitted, especially on WooCommerce checkout pages where there can be additional processing or validation steps.

Once you have disabled Warn Only, please let me know and I will test again from my end. I will also release an update within 24 hours once I have placed a test order to get the full picture.

Best regards, Carl @kitgenix

Good afternoon @hellodracon,

Thank you for disabling Warn Only.

I have now tested the checkout again and can see the issue. The checkout is being blocked with the following message:

“Your verification expired. Please complete the Turnstile challenge.”

I also noticed a Turnstile console warning relating to the widget size value. The plugin appears to be outputting small, but Cloudflare Turnstile expects supported size values such as normal, compact, or flexible. I will correct this as part of the fix.

The main issue appears to be related to the Turnstile token expiring, or being treated as expired, during the WooCommerce checkout process. I am going to adjust the plugin so the token is refreshed earlier, just before the 300-second expiry window, to help prevent the token from timing out before WooCommerce completes the order submission.

I will also review the WooCommerce classic checkout Auto-Inject integration to make sure the token is refreshed/reset properly during checkout and is not being reused incorrectly.

Do you happen to have a local, staging, or development version of the site where this can be tested safely? If that is allowed within the WordPress.org forum guidelines, it may help confirm the fix without needing to repeatedly test against the live checkout.

Thank you for your help testing this. I will work on a fix and update you here as soon as possible.

Best regards, Carl @kitgenix

Good afternoon @hellodracon,

To keep within WordPress.org forum guidelines, please do not share any login details, passwords, FTP details, or private information in this thread.

Temporary access to a staging/development copy of the site is required, please send the details through our official support email at support@kitgenix.com.

We will only use email to confirm access and review the issue privately. Any findings, updates, and the final resolution will be posted back here in this forum thread so the support record remains public and useful for others.

I believe I have fixed the error already, before I push the release I just need to confirm on a site where I can reproduce the issue.

Best regards, Carl @kitgenix

Good afternoon @sterndata,

Thank you for clarifying this, and I apologise for the wording in my previous reply.

You are absolutely right. I should not have asked the user to send access details.

I had thought that if access was absolutely needed, it could be handled privately outside the forum, but I now understand that this is not appropriate under the WordPress.org forum guidelines and creates unnecessary risk for both the user and the plugin author.

Going forward, I will not request credentials, admin access, FTP access, or private site access through these forums or by directing users to send them elsewhere.

Thanks again for the guidance. I’ll make sure future support replies follow this approach.

Best regards, Carl @kitgenix