• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Codeigniter 3 | JqGrid | CSRF

#1
Bug 
I have migrated my site from CI2 to CI3.

I'm using infinite scroll option of JqGrid. And i push csrf token to postData

My code is working in CI2. When migrated to CI3; there is still csrftoken in postData (i can see it with chrome debugger) but "The action you have requested is not allowed" message appears.

When i disabled csrf_token, everythink is listing well.

Is this a bug or do i make something wrong?

Thanks.
I'm a person from Turkiye. I don't know English very well and i can't write what i want to say sometimes (as now happenes  Blush ).

If i write something by mistake; please don't distress it and try to understand what i want to write.
Reply

#2
Do you have csrf_regenerate enabled in your config? If so, the error may be caused by a mismatch between a new token and a stale token. If that is the case, you can either disable csrf_regenerate (if security isn't your top concern) or exclude the uri in csrf_exclude_uris (which sounds like your best bet here considering the use case). Otherwise, I'm not really sure how you could get around it if you keep csrf_regenerate on since your user wouldn't be reloading the page to re-set their csrf cookie.
Reply

#3
(02-25-2015, 01:50 PM)Nichiren Wrote: Do you have csrf_regenerate enabled in your config? If so, the error may be caused by a mismatch between a new token and a stale token. If that is the case, you can either disable csrf_regenerate (if security isn't your top concern) or exclude the uri in csrf_exclude_uris (which sounds like your best bet here considering the use case). Otherwise, I'm not really sure how you could get around it if you keep csrf_regenerate on since your user wouldn't be reloading the page to re-set their csrf cookie.

Thank you so much. I have disabled as you described and everything works well as i want.

So; i have a question now: My csrf_expire setting is 7200 and how many second user can use jqgrid table without refresh page?
I'm a person from Turkiye. I don't know English very well and i can't write what i want to say sometimes (as now happenes  Blush ).

If i write something by mistake; please don't distress it and try to understand what i want to write.
Reply

#4
If a user stays on the page for 7200 seconds without a reload, then the CSRF credential on the server would expire for that user since they would now have a stale token.
Reply

#5
(02-25-2015, 04:08 PM)Nichiren Wrote: If a user stays on the page for 7200 seconds without a reload, then the CSRF credential on the server would expire for that user since they would now have a stale token.

I have some questions based on your answer:

- Is this page timeout or session timeout?
- What happens if visitor opens another browser tab and opens another page of site? Is JqGrid starts giving error message again or what?
I'm a person from Turkiye. I don't know English very well and i can't write what i want to say sometimes (as now happenes  Blush ).

If i write something by mistake; please don't distress it and try to understand what i want to write.
Reply

#6
(02-26-2015, 03:13 AM)mertdogan Wrote:
(02-25-2015, 04:08 PM)Nichiren Wrote: If a user stays on the page for 7200 seconds without a reload, then the CSRF credential on the server would expire for that user since they would now have a stale token.

I have some questions based on your answer:

- Is this page timeout or session timeout?
- What happens if visitor opens another browser tab and opens another page of site? Is JqGrid starts giving error message again or what?

- Neither. The timeout is set specifically for your CSRF token and is independent of the user session.

- If you have token regeneration set to FALSE, then any new tab will use the same token and will be valid as long as the token has not expired.
Reply

#7
(02-26-2015, 12:25 PM)Nichiren Wrote:
(02-26-2015, 03:13 AM)mertdogan Wrote:
(02-25-2015, 04:08 PM)Nichiren Wrote: If a user stays on the page for 7200 seconds without a reload, then the CSRF credential on the server would expire for that user since they would now have a stale token.

I have some questions based on your answer:

- Is this page timeout or session timeout?
- What happens if visitor opens another browser tab and opens another page of site? Is JqGrid starts giving error message again or what?

- Neither. The timeout is set specifically for your CSRF token and is independent of the user session.

- If you have token regeneration set to FALSE, then any new tab will use the same token and will be valid as long as the token has not expired.

Thank you for these informations.
I'm a person from Turkiye. I don't know English very well and i can't write what i want to say sometimes (as now happenes  Blush ).

If i write something by mistake; please don't distress it and try to understand what i want to write.
Reply

#8
If you want, you can regenerate the CSRF in this way in your Controller.

Code:
$csrf = array(
           'name' => $this->security->get_csrf_token_name(),
           'hash' => $this->security->get_csrf_hash()
       );
Reply

#9
(02-26-2015, 01:56 PM)james Wrote: If you want, you can regenerate the CSRF in this way in your Controller.


Code:
$csrf = array(
           'name' => $this->security->get_csrf_token_name(),
           'hash' => $this->security->get_csrf_hash()
       );

I don't want that for now; thanks.
I'm a person from Turkiye. I don't know English very well and i can't write what i want to say sometimes (as now happenes  Blush ).

If i write something by mistake; please don't distress it and try to understand what i want to write.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.