• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
CSRF Protection not being set

#1
Hey everyone!

Long time since I've had an issue, hope you guys can help.

I've been running codeigniter on my production servers for quite some time without any issue. Spontaneously this afternoon I started receiving errors with people not being able to post to any of my forms.

After looking into it I noticed that my csrf_cookie was not being set. Has anyone ever encountered this issue? My config['csrf_protection'] is set to true and nothing else has changed.

What's confusing me even more is that my development box which is running the exact same code as production is setting my csrf token just fine. Weird one!
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply

#2
Self hosted or w/ a hosting company? My host will make server changes and do updates that break my site every so often. I usually call them up and they fix it. Especially if you haven't made any changes and it just stopped working, I'd blame the host.
Reply

#3
AWS EC2 using opsworks. I'm using the exact same chef recipes as i have been for months. My app is still setting all the other cookies correctly, but it fails to set my csrf one.
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply

#4
Man, after hours of debugging I figured it out.

For anyone who runs into this issue in the future, here's what I went through.

I use Cloudflare as a DNS provider which routes my url to an elastic load balancer in amazon. The connection the user has to my cloudflare dns has HTTPS encryption, but somehow the connection from cloudflare to my elb to my servers lost their HTTPS. So while the user was still transmitting all data via HTTPS, the codeigniter app still saw the request as non https.

On line 267 of system/core/Security.php You'll see 


PHP Code:
if ($secure_cookie && ! is_https())
{
 
  return FALSE;


Thus it was returning false and not setting my csrf cookie.

Problem solved though!

Thank you skunkbad for the input though, I wasn't even thinking of something 'outside' of the app since it's all hosted on amazon. +1 rep for you
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply

#5
I've been doing this long enough to have some decent instincts on the sources of problems. Yours was a weird one for sure. Glad you figured it out!
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2017 MyBB Group.