• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Facing a Forbidden issue

#1
i am trying access controller function using ajax but its giving me an error of 403 forbidden. i have downloaded the repository from git hub and currently i am trying to set it up locally. any type of help will be appreciated. 

regards 
jyoti sudyal
Reply

#2
Does the Controller function start with an _ because that makes it private.

Another thing can be if your running https://
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply

#3
(02-22-2018, 05:20 AM)InsiteFX Wrote: Does the Controller function start with an _ because that makes it private.

Another thing can be if your running https://

i found the issue, this is due to the csrf token mismatch i manually set the csrf FALSE and  it starts working fine but this is not the solution
could you advise something on it
Reply

#4
Seeing the code involved will allow people to offer the best advice.

Read the documentation on Cross-site request forgery (CSRF) carefully. That should make clear the need for a hidden csrf <input> field in your forms when using
PHP Code:
$config['csrf_protection'] = TRUE

It's important to understand the with this setting...
PHP Code:
$config['csrf_regenerate'] = TRUE

The CSRF hash value will change with every POST request to the server. (Only POST, not GET) If your AJAX is a POST then you need to update the hidden CSRF <input> with the new hash value otherwise the next POST will produce the 403 error. One way do the update is have the AJAX response return the new hash and use JavaScript to update the hidden <input>.

Again, show us your code for advice related to your situation.
Reply

#5
This is the code


view file:- login.php
<form id="login" name="login" method="post" action="">
<input type="hidden" style="display:none;" value="<?php echo $this->security->get_csrf_hash();?>" name="csrf_test_name">
<div class=" row loginbox_content ">
<div class="display-error text-center"></div>
<br>
<div class="input-group input-group-sm">
<span class="input-group-addon">
<span class="glyphicon glyphicon-envelope"></span>
</span>
<input id="email" name="email" class="form-control" type="text" placeholder="Email" maxlength="60">
</div>
<br>
<div class="input-group input-group-sm">
<span class="input-group-addon">
<span class="glyphicon glyphicon-lock"></span>
</span>
<input id="password" name="password" class="form-control" type="password" placeholder="Password" maxlength="20">
</div>
<br>
<div class="input-group input-group-sm">
<label>
<input name="loginkeeping" id="loginkeeping1" value="loginkeeping" type="checkbox">
Remember Me
</label>
</div>
</div>
<div class="row ">
<div class="col-lg-8 col-md-8 col-sm-8 col-xs-7 forgotpassword ">
<a href="#" data-toggle="modal" data-target="#myModal">Forgot Password?</a>
</div>
<div class="col-lg-4 col-md-4 col-sm-4 col-xs-5 ">
<button type ="submit" value="Submit" class="btn btn-default submit-btn">Submit <span class="glyphicon glyphicon-log-in"></span></button>
</div>
</div>
</form>


js file::
$.ajax({
method: "POST",
url: base_url+'Admin/User/login_authenticate',
data: {'email':email,'password':password,'remember':remember},
dataType: 'json',
success: function(result) {
if (result.error == 1) {
$(".display-error").html(result.msg);
$(".display-error").show();
$('.display-error').css('color','red');
$('.alert-success').attr('class','alert alert-danger');
}
else {
window.location.replace(base_url+"Admin/User/dashboard");
}

},
error: function(err){
console.log(err)
}
});



controller::
public function login_authenticate()
{
$email = xss_clean($this->input->post('email'));
$password = xss_clean($this->input->post('password'));
$type = ($this->input->post('type') != '' ) ? $this->input->post('type') : '';

if($email == '' || $password == ''){
$this->error();
}
else
{
$details = $this->Base_model->get_record_by_id('abc',array('email'=>$email,'present_role'=>1));
//set session
if($details)
{
//if user is blocked
if($details[0]['ustatus'] == '0'){

//json success message pass to custom.js
$res = array('msg' => 'You have been blocked by admin. Please contact to admin.', 'error' => 1);
print json_encode($res);
}
else{
$check_email_verify = $this->Base_model->check_existent('abc',array('email'=>$email,'email_verify'=>'1'));
if($check_email_verify){
if($this->bcrypt->check_password($password, $details[0]['password'])){

$login_data = array(
'uid' => $details[0]['uid'],
'email' => $details[0]['email'],
'password' =>$details[0]['password'],
'logged_in' => TRUE
);
$session_data = $this->session->set_userdata($login_data);

$remember = $this->input->post('remember');

//set cookies
if($remember == '1')
{
setcookie('email_cookie', $email, time()+3600*7, '/');
setcookie('password_cookie',$password, time()+3600*7,'/');
}
if($type != ''){
//json success message pass to custom.js
$res = array('msg' => 'redirect', 'error' => 0,);
print json_encode($res);
}else{
//json success message pass to custom.js
$res = array('msg' => 'Logged in successfully.', 'error' => 0,);
print json_encode($res);
}
}
else{
//json success message pass to custom.js
$res = array('msg' => 'Invalid user name and password.', 'error' => 1);
print json_encode($res);
}
}else{
//json success message pass to custom.js
$res = array('msg' => 'Please verify your email to login.Please check your email.', 'error' => 1,);
print json_encode($res);
}
}
}
else{
//json success message pass to custom.js
$res = array('msg' => 'Invalid user name and password.', 'error' => 1);
print json_encode($res);
}
}
}
Reply

#6
The problem seems to be the data in the AJAX request does not contain the csrf field.

Your code:
Code:
data: {'email':email,'password':password,'remember':remember},

To capture all the inputs from the <form> in the easiest way use this.
PHP Code:
data: $('#login').serializeArray(); 

Question: Is this the setting in your config.php?
PHP Code:
$config['csrf_token_name'] = 'csrf_test_name'

If not your hidden field is not correct either.
Reply

#7
This is the setting in my config.php file

$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array();


this code is working fine on someone else's server but giving problem at my end when i am trying to setup locally.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.