Welcome Guest, Not a member yet? Register   Sign In
[Solved] Any thing better than CSRF
#1

(This post was last modified: 12-22-2016, 09:19 PM by wolfgang1983.)

Hello,

I would like to know what would be better than codeigniter CSRF

Because I tried setting up documentation way but still get error the action you have requested is not allowed. I don't like Codeigniter CSRF

If I use some thing like https://www.google.com/recaptcha/intro/

Is that OK or what else would I need.
There's only one rule - please don't tell anyone to go and read the manual.  Sometimes the manual just SUCKS!
Reply
#2

No, I think it would not work as csrf in all circumstances.

For instance it might work on a login screen. Fine. But CSRF is a problem much deeper than login. It exploits the trust a site has for a user, making it seem like a request that was not issued by the user intentionally was sent by the user to a site they happen to be logged into.

So you would need robot checking on every form. Imagine an admin screen. You might have fifty pages with forms on them. Each page would say 'am I a human' and worse, challenge the user every five minutes with a 'what is this text' type question every time it decided it was not sure if it was a human still.

So yes, it would work on a single form, preferably on a contact form or a login form, the sort of place you want that sort of check, as you do not want a robot pumping away trying emails and passwords endlessly. However, CSRF is about making sure all, and any post, from your site is from a form that was actually delivered from your server. Especially when a user is logged in genuinely.

Personally, for me CSRF has always worked perfectly and as intended. I have never had any issues with it at all. Even with ajax it is quite straight forward to work with.

Best wishes,

Paul.
Reply
#3

(12-16-2016, 11:44 AM)PaulD Wrote: No, I think it would not work as csrf in all circumstances.

For instance it might work on a login screen. Fine. But CSRF is a problem much deeper than login. It exploits the trust a site has for a user, making it seem like a request that was not issued by the user intentionally was sent by the user to a site they happen to be logged into.

So you would need robot checking on every form. Imagine an admin screen. You might have fifty pages with forms on them. Each page would say 'am I a human' and worse, challenge the user every five minutes with a 'what is this text' type question every time it decided it was not sure if it was a human still.

So yes, it would work on a single form, preferably on a contact form or a login form, the sort of place you want that sort of check, as you do not want a robot pumping away trying emails and passwords endlessly. However, CSRF is about making sure all, and any post, from your site is from a form that was actually delivered from your server. Especially when a user is logged in genuinely.

Personally, for me CSRF has always worked perfectly and as intended. I have never had any issues with it at all. Even with ajax it is quite straight forward to work with.

Best wishes,

Paul.

I just can't seem to get CSRF to work each time I submit it throws that error I mentioned I also use form_open_multipart()

PHP Code:
<?php

class Thread extends MX_Controller {

    private 
$pre_message;

    public function 
__construct() {
        
parent::__construct();
        
$this->load->library('form_validation');
        
$this->load->library('parsedown');
        
$this->load->model('catalog/qna/thread_model');
        
$this->load->model('catalog/qna/category_model');
        
$this->load->model('catalog/qna/forum_model');
    }

    public function 
add($forum_id) {
        
$this->form_validation->set_rules('subject''subject''required|min_length[5]|max_length[120]');
        
$this->form_validation->set_message('required''This thread {field} is required!');

        if (
$this->form_validation->run() == true) {

            if (
$this->input->post('preview')) {

                
$post_tmp_info $this->thread_model->get_tempory_post($this->input->post('my_post_key'), $forum_id);

                if (
$this->input->post('my_post_key') == $post_tmp_info['posting_id']) {

                    
$data = array(
                        
'forum_id' => $forum_id,
                        
'subject' => $this->input->post('subject'),
                        
'message' => $this->input->post('message')
                    );

                    
$this->db->where('posting_id'$this->input->post('my_post_key'));
                    
$this->db->update('post_tmp'$data);

                } else {

                    
$data = array(
                        
'posting_id' => $this->input->post('my_post_key'),
                        
'forum_id' => $forum_id,
                        
'subject' => $this->input->post('subject'),
                        
'message' => $this->input->post('message')
                    );

                    
$this->db->insert('post_tmp'$data);
                }

            }

        }        

        
$this->get_form($forum_id);
    }

    public function 
edit($forum_id) {

        
$this->get_form($forum_id);
    }

    public function 
index() {

    }

    public function 
get_form($forum_id) {
        

        if (
form_error('subject')) {
            
$data['error_subject'] = form_error('subject');
        } else {
            
$data['error_subject'] = '';
        }

        
$thread_info '';

        if (
$this->uri->segment(1) == 'newthread') {
            
$data['action'] = 'newthread/' $forum_id;
            
$data['is_edit'] = false;
        }

        if (
$this->uri->segment(1) == 'editpost') {
            
$data['action'] = 'editpost/';
            
$data['is_edit'] = true;
            
$thread_info $this->thread_model->get_post($this->uri->segment(2));
        }

        
$post_tmp_info $this->thread_model->get_tempory_post($this->input->post('my_post_key'), $forum_id);


        
$this->parsedown->setLiteralBreaks(true);

        if (
$this->input->post('preview')) {
            
$data['my_post_key'] = $this->input->post('my_post_key');
            
$data['pre_message'] = $this->parsedown->text($post_tmp_info['message']);
        } else {
            
$data['my_post_key'] = $this->generateRandomString(15);
            
$data['pre_message'] = '';
        }

        if (
$this->input->post('message')) {
            
$data['message'] = $this->input->post('message');
        } else if (!empty(
$thread_info)) {
            
$data['message'] = $thread_info['message'];
        } else {
            
$data['message'] = '';
        }

        
$data['header'] = Modules::run('catalog/common/header/index');
        
$data['footer'] = Modules::run('catalog/common/footer/index');

        
$this->load->view('template/qna/thread_form'$data);
    }

    function 
generateRandomString($length 10) {
     
   $characters '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
     
   $charactersLength strlen($characters);
     
   $randomString '';
     
   for ($i 0$i $length$i++) {
     
       $randomString .= $characters[rand(0$charactersLength 1)];
     
   }
     
   return $randomString;
    }

There's only one rule - please don't tell anyone to go and read the manual.  Sometimes the manual just SUCKS!
Reply
#4

(This post was last modified: 12-16-2016, 04:06 PM by PaulD. Edit Reason: additional comments )

Does the CSRF work when you use a simple form_open ?

Edit: I presume everything works fine when you turn off the CSRF for your code.

Edit 2: I have not actually built a CI site in ages but am just building two now with latest version (a large shop and a smaller product design shop) - however I doubt I will need multi part forms. Everything seems just as always so far except admittedly I have not started using the CSRF yet. I very much doubt and do not expect a bug in that though. I will switch it on tomorrow and see if anything unexpected happens.

Edit 3: I must admit I do love the google 'I am a human' checkbox :-)but Ido not like their captcha system - it is often so difficult even I struggle with it sometimes. Have you played the recordings - even worse than the text.
Reply
#5

(This post was last modified: 12-17-2016, 12:14 AM by wolfgang1983.)

(12-16-2016, 03:57 PM)PaulD Wrote: Does the CSRF work when you use a simple form_open ?

Edit: I presume everything works fine when you turn off the CSRF for your code.

Edit 2: I have not actually built a CI site in ages but am just building two now with latest version (a large shop and a smaller product design shop) - however I doubt I will need multi part forms. Everything seems just as always so far except admittedly I have not started using the CSRF yet. I very much doubt and do not expect a bug in that though. I will switch it on tomorrow and see if anything unexpected happens.

Edit 3: I must admit I do love the google 'I am a human' checkbox :-)but Ido not like their captcha system - it is often so difficult even I struggle with it sometimes. Have you played the recordings - even worse than the text.

Yes the CSRF works when have form_open and form_open_mulitpart the issue is when I submit form It regenerate a new token and makes it throw error. error the action you have requested is not allowed I can't find away on my controller so I can stop if from throwing error. I followed this way https://www.codeigniter.com/user_guide/l...rgery-csrf also

Such a pain

PHP Code:
$config['cookie_prefix']    = '';
$config['cookie_domain']    = '';
$config['cookie_path']        = '/';
$config['cookie_secure']    = FALSE;
$config['cookie_httponly']     = FALSE;

$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array(); 


Attached Files
.php   Thread.php (Size: 3.34 KB / Downloads: 87)
.php   thread_form.php (Size: 2.68 KB / Downloads: 86)
There's only one rule - please don't tell anyone to go and read the manual.  Sometimes the manual just SUCKS!
Reply
#6

I remember I ran into such an issue a while ago. Turned out I made some misrake where it ran form / csrf validation twice. So the first check regenerated the csrf key so the secind pass would always return false... Perhaps you could try finding such a case in your code. To trace this case I put some debug echo code in the core form validation/csrf files.
Reply
#7

(12-17-2016, 02:30 AM)Diederik Wrote: I remember I ran into such an issue a while ago. Turned out I made some misrake where it ran form / csrf validation twice. So the first check regenerated the csrf key so the secind pass would always return false... Perhaps you could try finding such a case in your code. To trace this case I put some debug echo code in the core form validation/csrf files.
My form I have to submit button's one for previewing post and one for submitting it. I don't think that would cause issue would it.
There's only one rule - please don't tell anyone to go and read the manual.  Sometimes the manual just SUCKS!
Reply
#8

I use my own tokens library, as it's like CI's CSRF functionality, but it allows for an array of tokens, and prevents some of the frustration involved with CI's CSRF. It's part of Community Auth, so you can see it there if you like.
Reply
#9

(This post was last modified: 12-17-2016, 04:12 PM by wolfgang1983.)

(12-17-2016, 03:23 PM)skunkbad Wrote: I use my own tokens library, as it's like CI's CSRF functionality, but it allows for an array of tokens, and prevents some of the frustration involved with CI's CSRF. It's part of Community Auth, so you can see it there if you like.


Yea I think using your own good. Just have always had issues with CI CSRF and form validation mixed together on controller side not ajax. don't think will bother using codeigniter CSRF.

Not many tutorials on how to properly set up CSRF with form validation and submitting on controller and not ajax
There's only one rule - please don't tell anyone to go and read the manual.  Sometimes the manual just SUCKS!
Reply
#10

How about setting `$config['csrf_regenerate'] = FALSE;`?
Reply




Theme © iAndrew 2016 - Forum software by © MyBB