Login

luckmoshy · 04-03-2023, 08:42 AM

Hi, there Good Guys I would like to inform you that CI 4.3.+ has an issue with CSRF for example if you send the form post after submitting try to reverse the URL and try to send it again, it throws a new exception instead if the real one message

[Image: Screenshot.png]

I have been curiously tested for several days now I realize there is make a test with this app here

https://github.com/kenjis/ci4-news

Codeigniter First, Codeigniter Then You!!

yekrinaDigitals

***kenjis*** · 04-03-2023, 06:42 PM

What do you mean?

If you say like this, I cannot reproduce the CSRF error.
1. navigate to http://localhost:8080/news/create
2. fill the form
3. post the form
4. press the browser's back button
5. fill the form for another news
6. post the form

I tried Firefox and Chrome. No problem.

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

luckmoshy · 04-03-2023, 09:39 PM

(04-03-2023, 06:42 PM)kenjis Wrote: What do you mean?

If you say like this, I cannot reproduce the CSRF error.
1. navigate to http://localhost:8080/news/create
2. fill the form
3. post the form
4. press the browser's back button
5. fill the form for another news
6. post the form

I tried Firefox and Chrome. No problem.

of cause @kenjis something like this (PHP PRG (Post-Redirect-Get(post))) if happens that it is where the issue occurs as I said I don t think it is a wise perhaps maybe happen network issue and post still hanging around ten you refresh that post-CSRF instead of firing a good message

PHP Code:
<?= session()->getFlashdata('error') ?>

to a user for example in the CI production,A user will have something like internal server error or (Whoops) I think here it is a wise if the user gets a fresh alert danger message than (CI exception)

a good example as I said try to click back after you have posted without refreshing you will see this issue I think it is the same with (PRG) while I know that CI CSRF is very keen on observing every post request per one action

Codeigniter First, Codeigniter Then You!!

yekrinaDigitals

***kenjis*** · 04-04-2023, 01:34 AM

In production, it is better to set `$redirect = true`:
https://codeigniter4.github.io/CodeIgnit...on-failure

We changed the default value, because it is difficult to get what happened when just redirecting especially for beginners.

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

luckmoshy · 04-04-2023, 10:53 PM

(04-04-2023, 01:34 AM)kenjis Wrote: In production, it is better to set `$redirect = true`:
https://codeigniter4.github.io/CodeIgnit...on-failure

We changed the default value because it is difficult to get what happened when just redirecting especially for beginners.

ooh, i forgot to read this area!!!! Thank @kenjis in my minor opinion it could be better if you make this default

PHP Code:
public bool $redirect = true; 

always as leave CI fresh than leave someone gets in to change otherwise give out other option if someone needs other redirection than default one

Codeigniter First, Codeigniter Then You!!

yekrinaDigitals

***kenjis*** · 04-04-2023, 11:41 PM

See https://github.com/codeigniter4/CodeIgniter4/pull/6406
https://github.com/codeigniter4/CodeIgni...ssues/6719

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper