CodeIgniter Forums

Full Version: CSRF Token and Cookie not matching
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I am unable to login and submit any form because the Cookie and CSRF Token are not matching. I recently went away for 2 weeks and did not make any changes to my code. Before I left everything was working fine. I also noticed that the cookie/token is not changing and I have it set to regenerate. Does any one know how I can fix this?

Please let me know if I need to provide more info.

Thanks
Does turning off regeneration make any difference? Using regeneration in combination with a javascript post can be a bit tricky.

The regeneration process only occurs after a new post request is submitted.
No I currently have it off and I used a clean install of Codeigniter 3 using https://github.com/emreakay/CodeIgniter-Aauth for user management. I was also using ION-AUTH and they both don't work all of a sudden. The cookie and CSRF Token are always different.

There is definitely a problem with Codeigniter 3 CSRF.
You should turn on the log function in CI. It should show you when a CSRF cookie is being send to the client. I suspect it gets executed twice during the run of your code (and being regenerated in between).

Both functions (the cookie part and the form_open part) pull out the exact same variable from the security class. So the only way a cookie can differ from each other is if the cookie gets overridden in a later stage.
(08-30-2015, 02:25 PM)Diederik Wrote: [ -> ]You should turn on the log function in CI. It should show you when a CSRF cookie is being send to the client. I suspect it gets executed twice during the run of your code (and being regenerated in between).

Both functions (the cookie part and the form_open part) pull out the exact same variable from the security class. So the only way a cookie can differ from each other is if the cookie gets overridden in a later stage.

I do not see the cookie getting generated twice in the logs. I also have an older copy that I accessed and everything works fine. The only difference between the 2 is the one that works generates the session cookie ($config['sess_cookie_name'] = 'ci_session') and the one that doesn't work is not generating the session cookie.
First of, things dont just break by them selves, there is always a reason for it Wink When you get to the solution it will be clear.

A couple more trouble should ideas:

What have you configured as the cookie domain? If you set a wrong domain you will not be able to get the same cookie back.

Do you have php errors/notices turned on? If you try to set a cookie after output already has been send it will fail.
(08-31-2015, 12:38 PM)Diederik Wrote: [ -> ]First of, things dont just break by them selves, there is always a reason for it Wink When you get to the solution it will be clear.

A couple more trouble should ideas:

What have you configured as the cookie domain? If you set a wrong domain you will not be able to get the same cookie back.

Do you have php errors/notices turned on? If you try to set a cookie after output already has been send it will fail.

I have the cookie domain as blank, but it still sets it to the correct domain. I have errors/notices turned on. I thought all I had to do is enable CSRF and that's it. I don't generate any cookies myself Codeigniter does that for me (or so I thought). i have not written any code to generate any cookies. Also, I understand things don't just break, but I did not make any changes on my end and it just stopped working.
(08-29-2015, 04:10 PM)iamthestreets Wrote: [ -> ]I am unable to login and submit any form because the Cookie and CSRF Token are not matching. I recently went away for 2 weeks and did not make any changes to my code. Before I left everything was working fine. I also noticed that the cookie/token is not changing and I have it set to regenerate. Does any one know how I can fix this?

Please let me know if I need to provide more info.

Thanks

If you want to solve this CODEIGNITER BUG, you can set like below:

$config['sess_cookie_name'] = 'ci_projectname_session';
$config['cookie_prefix'] = 'ci_projectname_';

As example, cookie prefix and cookie name must begin same.
(08-31-2015, 10:36 AM)iamthestreets Wrote: [ -> ]I do not see the cookie getting generated twice in the logs. I also have an older copy that I accessed and everything works fine. The only difference between the 2 is the one that works generates the session cookie ($config['sess_cookie_name'] = 'ci_session') and the one that doesn't work is not generating the session cookie.

session cookies have nothing to do with the CSRF cookies. The session and CSRF cookies do not and probably should not ever match.

Are you sure it is a CSRF problem?
Can you log in successfully if CSRF is turned off? i.e.
PHP Code:
$config['csrf_protection'] = FALSE

iamthestreets Wrote:I also noticed that the cookie/token is not changing and I have it set to regenerate.

Remember,  the CSRF hash is only regenerated when a POST request is made to the server. Otherwise the value will remain the same no matter how many pages you GET.