+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6)
+--- Forum: CodeIgniter 2.x (https://forum.codeigniter.com/forumdisplay.php?fid=18)
+--- Thread: Facing a Forbidden issue (/showthread.php?tid=70108)
Facing a Forbidden issue - jyoti sudyal - 02-22-2018
i am trying access controller function using ajax but its giving me an error of 403 forbidden. i have downloaded the repository from git hub and currently i am trying to set it up locally. any type of help will be appreciated.
regards
jyoti sudyal
RE: Facing a Forbidden issue - InsiteFX - 02-22-2018
Does the Controller function start with an _ because that makes it private.
Another thing can be if your running https://
RE: Facing a Forbidden issue - jyoti sudyal - 02-22-2018
(02-22-2018, 05:20 AM)InsiteFX Wrote: Does the Controller function start with an _ because that makes it private.
Another thing can be if your running https://
i found the issue, this is due to the csrf token mismatch i manually set the csrf FALSE and it starts working fine but this is not the solution
could you advise something on it
RE: Facing a Forbidden issue - dave friend - 02-22-2018
Seeing the code involved will allow people to offer the best advice.
Read the documentation on Cross-site request forgery (CSRF) carefully. That should make clear the need for a hidden csrf <input> field in your forms when using
PHP Code:
$config['csrf_protection'] = TRUE;
It's important to understand the with this setting...
PHP Code:
$config['csrf_regenerate'] = TRUE;
The CSRF hash value will change with every POST request to the server. (Only POST, not GET) If your AJAX is a POST then you need to update the hidden CSRF <input> with the new hash value otherwise the next POST will produce the 403 error. One way do the update is have the AJAX response return the new hash and use JavaScript to update the hidden <input>.
Again, show us your code for advice related to your situation.
RE: Facing a Forbidden issue - jyoti sudyal - 02-22-2018
This is the code
view file:- login.php
<form id="login" name="login" method="post" action="">
<input type="hidden" style="display:none;" value="<?php echo $this->security->get_csrf_hash();?>" name="csrf_test_name">
<div class=" row loginbox_content ">
<div class="display-error text-center"></div>
<br>
<div class="input-group input-group-sm">
<span class="input-group-addon">
<span class="glyphicon glyphicon-envelope"></span>
</span>
<input id="email" name="email" class="form-control" type="text" placeholder="Email" maxlength="60">
</div>
<br>
<div class="input-group input-group-sm">
<span class="input-group-addon">
<span class="glyphicon glyphicon-lock"></span>
</span>
<input id="password" name="password" class="form-control" type="password" placeholder="Password" maxlength="20">
</div>
<br>
<div class="input-group input-group-sm">
<label>
<input name="loginkeeping" id="loginkeeping1" value="loginkeeping" type="checkbox">
Remember Me
</label>
</div>
</div>
<div class="row ">
<div class="col-lg-8 col-md-8 col-sm-8 col-xs-7 forgotpassword ">
<a href="#" data-toggle="modal" data-target="#myModal">Forgot Password?</a>
</div>
<div class="col-lg-4 col-md-4 col-sm-4 col-xs-5 ">
<button type ="submit" value="Submit" class="btn btn-default submit-btn">Submit <span class="glyphicon glyphicon-log-in"></span></button>
</div>
</div>
</form>
js file::
$.ajax({
method: "POST",
url: base_url+'Admin/User/login_authenticate',
data: {'email':email,'password':password,'remember':remember},
dataType: 'json',
success: function(result) {
if (result.error == 1) {
$(".display-error").html(result.msg);
$(".display-error").show();
$('.display-error').css('color','red');
$('.alert-success').attr('class','alert alert-danger');
}
else {
window.location.replace(base_url+"Admin/User/dashboard");
}
},
error: function(err){
console.log(err)
}
});
controller::
public function login_authenticate()
{
$email = xss_clean($this->input->post('email'));
$password = xss_clean($this->input->post('password'));
$type = ($this->input->post('type') != '' ) ? $this->input->post('type') : '';
if($email == '' || $password == ''){
$this->error();
}
else
{
$details = $this->Base_model->get_record_by_id('abc',array('email'=>$email,'present_role'=>1));
//set session
if($details)
{
//if user is blocked
if($details[0]['ustatus'] == '0'){
//json success message pass to custom.js
$res = array('msg' => 'You have been blocked by admin. Please contact to admin.', 'error' => 1);
print json_encode($res);
}
else{
$check_email_verify = $this->Base_model->check_existent('abc',array('email'=>$email,'email_verify'=>'1'));
if($check_email_verify){
if($this->bcrypt->check_password($password, $details[0]['password'])){
$login_data = array(
'uid' => $details[0]['uid'],
'email' => $details[0]['email'],
'password' =>$details[0]['password'],
'logged_in' => TRUE
);
$session_data = $this->session->set_userdata($login_data);
$remember = $this->input->post('remember');
//set cookies
if($remember == '1')
{
setcookie('email_cookie', $email, time()+3600*7, '/');
setcookie('password_cookie',$password, time()+3600*7,'/');
}
if($type != ''){
//json success message pass to custom.js
$res = array('msg' => 'redirect', 'error' => 0,);
print json_encode($res);
}else{
//json success message pass to custom.js
$res = array('msg' => 'Logged in successfully.', 'error' => 0,);
print json_encode($res);
}
}
else{
//json success message pass to custom.js
$res = array('msg' => 'Invalid user name and password.', 'error' => 1);
print json_encode($res);
}
}else{
//json success message pass to custom.js
$res = array('msg' => 'Please verify your email to login.Please check your email.', 'error' => 1,);
print json_encode($res);
}
}
}
else{
//json success message pass to custom.js
$res = array('msg' => 'Invalid user name and password.', 'error' => 1);
print json_encode($res);
}
}
}
RE: Facing a Forbidden issue - dave friend - 02-23-2018
The problem seems to be the data in the AJAX request does not contain the csrf field.
Your code:
Code:
data: {'email':email,'password':password,'remember':remember},To capture all the inputs from the <form> in the easiest way use this.
PHP Code:
data: $('#login').serializeArray();
Question: Is this the setting in your config.php?
PHP Code:
$config['csrf_token_name'] = 'csrf_test_name';
If not your hidden field is not correct either.
RE: Facing a Forbidden issue - jyoti sudyal - 02-25-2018
This is the setting in my config.php file
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array();
this code is working fine on someone else's server but giving problem at my end when i am trying to setup locally.