+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: General (https://forum.codeigniter.com/forumdisplay.php?fid=1)
+--- Forum: Regional User Groups (https://forum.codeigniter.com/forumdisplay.php?fid=25)
+--- Thread: Attention Team CI4.3.+ has CSRF issue (/showthread.php?tid=87278)
Attention Team CI4.3.+ has CSRF issue - luckmoshy - 04-03-2023
Hi, there Good Guys I would like to inform you that CI 4.3.+ has an issue with CSRF for example if you send the form post after submitting try to reverse the URL and try to send it again, it throws a new exception instead if the real one message
![[Image: Screenshot.png]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFEI6ghSMS9QRIRVB2qC0aVCx81WLirDigMIYjXqUSwHwNmZlh7Vso7PXE8rLk4KUH309d2zwpPbYGeWMyd5mAp3LJv9hlnIj2Xm_SxI81200q52rqiczRWEOSdj-fO4kWcTe2887MpvOphKfHCmC-s9XY8Ydp8RuLVn53rR5Tlt9M7v9Ojsnv8Uws/s16000/Screenshot.png)
I have been curiously tested for several days now I realize there is make a test with this app here
https://github.com/kenjis/ci4-news
RE: Attention Team CI4.3.+ has CSRF issue - kenjis - 04-03-2023
What do you mean?
If you say like this, I cannot reproduce the CSRF error.
1. navigate to http://localhost:8080/news/create
2. fill the form
3. post the form
4. press the browser's back button
5. fill the form for another news
6. post the form
I tried Firefox and Chrome. No problem.
RE: Attention Team CI4.3.+ has CSRF issue - luckmoshy - 04-03-2023
(04-03-2023, 06:42 PM)kenjis Wrote: What do you mean?
If you say like this, I cannot reproduce the CSRF error.
1. navigate to http://localhost:8080/news/create
2. fill the form
3. post the form
4. press the browser's back button
5. fill the form for another news
6. post the form
I tried Firefox and Chrome. No problem.
of cause @kenjis something like this (PHP PRG (Post-Redirect-Get(post))) if happens that it is where the issue occurs as I said I don t think it is a wise perhaps maybe happen network issue and post still hanging around ten you refresh that post-CSRF instead of firing a good message
PHP Code:
<?= session()->getFlashdata('error') ?>a good example as I said try to click back after you have posted without refreshing you will see this issue I think it is the same with (PRG) while I know that CI CSRF is very keen on observing every post request per one action
RE: Attention Team CI4.3.+ has CSRF issue - kenjis - 04-04-2023
In production, it is better to set `$redirect = true`:
https://codeigniter4.github.io/CodeIgniter4/libraries/security.html#redirection-on-failure
We changed the default value, becauseĀ it is difficult to get what happened when just redirecting especially for beginners.
RE: Attention Team CI4.3.+ has CSRF issue - luckmoshy - 04-04-2023
(04-04-2023, 01:34 AM)kenjis Wrote: In production, it is better to set `$redirect = true`:
https://codeigniter4.github.io/CodeIgniter4/libraries/security.html#redirection-on-failure
We changed the default value becauseĀ it is difficult to get what happened when just redirecting especially for beginners.
ooh, i forgot to read this area!!!! Thank @kenjis in my minor opinion it could be better if you make this default
PHP Code:
public bool $redirect = true;
RE: Attention Team CI4.3.+ has CSRF issue - kenjis - 04-04-2023
See https://github.com/codeigniter4/CodeIgniter4/pull/6406
https://github.com/codeigniter4/CodeIgniter4/issues/6719