CodeIgniter Forums
CSRF override - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6)
+--- Forum: Issues (https://forum.codeigniter.com/forumdisplay.php?fid=19)
+--- Thread: CSRF override (/showthread.php?tid=68822)



CSRF override - DeiForm - 08-30-2017

Hello,
csrf is useless. If you set up curl request where you set up cookie and post param with same values you can load the page witohout problems even if you should get: the action you requested is not allowed.
curl:
Code:
$poststring = 'csrf_test_name=123';
       $ch = curl_init ($url);
       curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);
       curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
       curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
       curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
       curl_setopt ($ch, CURLOPT_POST, true);
       curl_setopt ($ch, CURLOPT_POSTFIELDS, $poststring);
       curl_setopt($ch, CURLINFO_HEADER_OUT, true);
       curl_setopt($ch, CURLOPT_HTTPHEADER, array("Cookie: csrf_cookie_name=123"));
       $output = curl_exec ($ch);
       curl_close($ch);



Made also issue at github: https://github.com/bcit-ci/CodeIgniter/issues/5244