Codeigniter 3 | JqGrid | CSRF - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6) +--- Forum: Issues (https://forum.codeigniter.com/forumdisplay.php?fid=19) +--- Thread: Codeigniter 3 | JqGrid | CSRF (/showthread.php?tid=1283) |
Codeigniter 3 | JqGrid | CSRF - mertdogan - 02-25-2015 I have migrated my site from CI2 to CI3. I'm using infinite scroll option of JqGrid. And i push csrf token to postData My code is working in CI2. When migrated to CI3; there is still csrftoken in postData (i can see it with chrome debugger) but "The action you have requested is not allowed" message appears. When i disabled csrf_token, everythink is listing well. Is this a bug or do i make something wrong? Thanks. RE: Codeigniter 3 | JqGrid | CSRF - Nichiren - 02-25-2015 Do you have csrf_regenerate enabled in your config? If so, the error may be caused by a mismatch between a new token and a stale token. If that is the case, you can either disable csrf_regenerate (if security isn't your top concern) or exclude the uri in csrf_exclude_uris (which sounds like your best bet here considering the use case). Otherwise, I'm not really sure how you could get around it if you keep csrf_regenerate on since your user wouldn't be reloading the page to re-set their csrf cookie. RE: Codeigniter 3 | JqGrid | CSRF - mertdogan - 02-25-2015 (02-25-2015, 01:50 PM)Nichiren Wrote: Do you have csrf_regenerate enabled in your config? If so, the error may be caused by a mismatch between a new token and a stale token. If that is the case, you can either disable csrf_regenerate (if security isn't your top concern) or exclude the uri in csrf_exclude_uris (which sounds like your best bet here considering the use case). Otherwise, I'm not really sure how you could get around it if you keep csrf_regenerate on since your user wouldn't be reloading the page to re-set their csrf cookie. Thank you so much. I have disabled as you described and everything works well as i want. So; i have a question now: My csrf_expire setting is 7200 and how many second user can use jqgrid table without refresh page? RE: Codeigniter 3 | JqGrid | CSRF - Nichiren - 02-25-2015 If a user stays on the page for 7200 seconds without a reload, then the CSRF credential on the server would expire for that user since they would now have a stale token. RE: Codeigniter 3 | JqGrid | CSRF - mertdogan - 02-26-2015 (02-25-2015, 04:08 PM)Nichiren Wrote: If a user stays on the page for 7200 seconds without a reload, then the CSRF credential on the server would expire for that user since they would now have a stale token. I have some questions based on your answer: - Is this page timeout or session timeout? - What happens if visitor opens another browser tab and opens another page of site? Is JqGrid starts giving error message again or what? RE: Codeigniter 3 | JqGrid | CSRF - Nichiren - 02-26-2015 (02-26-2015, 03:13 AM)mertdogan Wrote:(02-25-2015, 04:08 PM)Nichiren Wrote: If a user stays on the page for 7200 seconds without a reload, then the CSRF credential on the server would expire for that user since they would now have a stale token. - Neither. The timeout is set specifically for your CSRF token and is independent of the user session. - If you have token regeneration set to FALSE, then any new tab will use the same token and will be valid as long as the token has not expired. RE: Codeigniter 3 | JqGrid | CSRF - mertdogan - 02-26-2015 (02-26-2015, 12:25 PM)Nichiren Wrote:(02-26-2015, 03:13 AM)mertdogan Wrote:(02-25-2015, 04:08 PM)Nichiren Wrote: If a user stays on the page for 7200 seconds without a reload, then the CSRF credential on the server would expire for that user since they would now have a stale token. Thank you for these informations. RE: Codeigniter 3 | JqGrid | CSRF - james - 02-26-2015 If you want, you can regenerate the CSRF in this way in your Controller. Code: $csrf = array( RE: Codeigniter 3 | JqGrid | CSRF - mertdogan - 02-26-2015 (02-26-2015, 01:56 PM)james Wrote: If you want, you can regenerate the CSRF in this way in your Controller. I don't want that for now; thanks. |