Attention Team CI4.3.+ has CSRF issue - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: General (https://forum.codeigniter.com/forumdisplay.php?fid=1) +--- Forum: Regional User Groups (https://forum.codeigniter.com/forumdisplay.php?fid=25) +--- Thread: Attention Team CI4.3.+ has CSRF issue (/showthread.php?tid=87278) |
Attention Team CI4.3.+ has CSRF issue - luckmoshy - 04-03-2023 Hi, there Good Guys I would like to inform you that CI 4.3.+ has an issue with CSRF for example if you send the form post after submitting try to reverse the URL and try to send it again, it throws a new exception instead if the real one message I have been curiously tested for several days now I realize there is make a test with this app here https://github.com/kenjis/ci4-news RE: Attention Team CI4.3.+ has CSRF issue - kenjis - 04-03-2023 What do you mean? If you say like this, I cannot reproduce the CSRF error. 1. navigate to http://localhost:8080/news/create 2. fill the form 3. post the form 4. press the browser's back button 5. fill the form for another news 6. post the form I tried Firefox and Chrome. No problem. RE: Attention Team CI4.3.+ has CSRF issue - luckmoshy - 04-03-2023 (04-03-2023, 06:42 PM)kenjis Wrote: What do you mean? of cause @kenjis something like this (PHP PRG (Post-Redirect-Get(post))) if happens that it is where the issue occurs as I said I don t think it is a wise perhaps maybe happen network issue and post still hanging around ten you refresh that post-CSRF instead of firing a good message PHP Code: <?= session()->getFlashdata('error') ?> a good example as I said try to click back after you have posted without refreshing you will see this issue I think it is the same with (PRG) while I know that CI CSRF is very keen on observing every post request per one action RE: Attention Team CI4.3.+ has CSRF issue - kenjis - 04-04-2023 In production, it is better to set `$redirect = true`: https://codeigniter4.github.io/CodeIgniter4/libraries/security.html#redirection-on-failure We changed the default value, becauseĀ it is difficult to get what happened when just redirecting especially for beginners. RE: Attention Team CI4.3.+ has CSRF issue - luckmoshy - 04-04-2023 (04-04-2023, 01:34 AM)kenjis Wrote: In production, it is better to set `$redirect = true`: ooh, i forgot to read this area!!!! Thank @kenjis in my minor opinion it could be better if you make this default PHP Code: public bool $redirect = true; RE: Attention Team CI4.3.+ has CSRF issue - kenjis - 04-04-2023 See https://github.com/codeigniter4/CodeIgniter4/pull/6406 https://github.com/codeigniter4/CodeIgniter4/issues/6719 |