CodeIgniter Forums
Codeigniter 3 | JqGrid | CSRF - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6)
+--- Forum: Issues (https://forum.codeigniter.com/forumdisplay.php?fid=19)
+--- Thread: Codeigniter 3 | JqGrid | CSRF (/showthread.php?tid=1283)



Codeigniter 3 | JqGrid | CSRF - mertdogan - 02-25-2015

I have migrated my site from CI2 to CI3.

I'm using infinite scroll option of JqGrid. And i push csrf token to postData

My code is working in CI2. When migrated to CI3; there is still csrftoken in postData (i can see it with chrome debugger) but "The action you have requested is not allowed" message appears.

When i disabled csrf_token, everythink is listing well.

Is this a bug or do i make something wrong?

Thanks.


RE: Codeigniter 3 | JqGrid | CSRF - Nichiren - 02-25-2015

Do you have csrf_regenerate enabled in your config? If so, the error may be caused by a mismatch between a new token and a stale token. If that is the case, you can either disable csrf_regenerate (if security isn't your top concern) or exclude the uri in csrf_exclude_uris (which sounds like your best bet here considering the use case). Otherwise, I'm not really sure how you could get around it if you keep csrf_regenerate on since your user wouldn't be reloading the page to re-set their csrf cookie.


RE: Codeigniter 3 | JqGrid | CSRF - mertdogan - 02-25-2015

(02-25-2015, 01:50 PM)Nichiren Wrote: Do you have csrf_regenerate enabled in your config? If so, the error may be caused by a mismatch between a new token and a stale token. If that is the case, you can either disable csrf_regenerate (if security isn't your top concern) or exclude the uri in csrf_exclude_uris (which sounds like your best bet here considering the use case). Otherwise, I'm not really sure how you could get around it if you keep csrf_regenerate on since your user wouldn't be reloading the page to re-set their csrf cookie.

Thank you so much. I have disabled as you described and everything works well as i want.

So; i have a question now: My csrf_expire setting is 7200 and how many second user can use jqgrid table without refresh page?


RE: Codeigniter 3 | JqGrid | CSRF - Nichiren - 02-25-2015

If a user stays on the page for 7200 seconds without a reload, then the CSRF credential on the server would expire for that user since they would now have a stale token.


RE: Codeigniter 3 | JqGrid | CSRF - mertdogan - 02-26-2015

(02-25-2015, 04:08 PM)Nichiren Wrote: If a user stays on the page for 7200 seconds without a reload, then the CSRF credential on the server would expire for that user since they would now have a stale token.

I have some questions based on your answer:

- Is this page timeout or session timeout?
- What happens if visitor opens another browser tab and opens another page of site? Is JqGrid starts giving error message again or what?


RE: Codeigniter 3 | JqGrid | CSRF - Nichiren - 02-26-2015

(02-26-2015, 03:13 AM)mertdogan Wrote:
(02-25-2015, 04:08 PM)Nichiren Wrote: If a user stays on the page for 7200 seconds without a reload, then the CSRF credential on the server would expire for that user since they would now have a stale token.

I have some questions based on your answer:

- Is this page timeout or session timeout?
- What happens if visitor opens another browser tab and opens another page of site? Is JqGrid starts giving error message again or what?

- Neither. The timeout is set specifically for your CSRF token and is independent of the user session.

- If you have token regeneration set to FALSE, then any new tab will use the same token and will be valid as long as the token has not expired.


RE: Codeigniter 3 | JqGrid | CSRF - mertdogan - 02-26-2015

(02-26-2015, 12:25 PM)Nichiren Wrote:
(02-26-2015, 03:13 AM)mertdogan Wrote:
(02-25-2015, 04:08 PM)Nichiren Wrote: If a user stays on the page for 7200 seconds without a reload, then the CSRF credential on the server would expire for that user since they would now have a stale token.

I have some questions based on your answer:

- Is this page timeout or session timeout?
- What happens if visitor opens another browser tab and opens another page of site? Is JqGrid starts giving error message again or what?

- Neither. The timeout is set specifically for your CSRF token and is independent of the user session.

- If you have token regeneration set to FALSE, then any new tab will use the same token and will be valid as long as the token has not expired.

Thank you for these informations.


RE: Codeigniter 3 | JqGrid | CSRF - james - 02-26-2015

If you want, you can regenerate the CSRF in this way in your Controller.

Code:
$csrf = array(
           'name' => $this->security->get_csrf_token_name(),
           'hash' => $this->security->get_csrf_hash()
       );



RE: Codeigniter 3 | JqGrid | CSRF - mertdogan - 02-26-2015

(02-26-2015, 01:56 PM)james Wrote: If you want, you can regenerate the CSRF in this way in your Controller.


Code:
$csrf = array(
           'name' => $this->security->get_csrf_token_name(),
           'hash' => $this->security->get_csrf_hash()
       );

I don't want that for now; thanks.