CSRF Protection problem - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5) +--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24) +--- Thread: CSRF Protection problem (/showthread.php?tid=1382) |
CSRF Protection problem - Urastor - 03-05-2015 Hey there, I have a small problem with csrf protection. I'm using csrf protection for my login site, to login. Sometimes i get an error: "An Error Was Encountered The action you have requested is not allowed." I'm using the form-helper, to create an proper form. I have no problems on my localhost, it only happens on the live website. I have absolutly no idea how I can solve this problem.. could anybody give me suggestions. RE: CSRF Protection problem - Avenirer - 03-05-2015 Maybe this is due to the expiration of csrf token? RE: CSRF Protection problem - Urastor - 03-05-2015 (03-05-2015, 02:50 PM)Avenirer Wrote: Maybe this is due to the expiration of csrf token? I don't think so. It happens very randomly, so even if i deleted the cookies manully, it happens. I struggling with this problem for quite some time now, and normally I did ignored it, but sometimes my users need 10-15 trials to just connect, what is really annoying. I thought it has something to do with the codeigniter version, because it began to occur on version 3.x. Currently I'm using the relase-candidate 2. s: Maybe it's helpful to say what I tried before: - renaming the csrf tooken name and cookie name ( tried not to use _ or -, so for example "mycsrfcookie" ) - disabled csrf, just to test if this is really the problem: it is - instead of writing the form with the form-helper i tried sth. like this: Code: <input type="hidden" name="<?php echo $this->security->get_csrf_token_name(); ?>" value="<?php echo $this->security->get_csrf_hash();?>" /> For information, I don't use ajax there. Maybe it would help if I provide a little piece of code: login-controller-method: Code: [...] user-model-method (the controller referes to by using $this->user): Code: public function login() Just a short explanation: If the user could be validated and verified, he's sent to the "dashboard" otherwise he's redirected to the login site again. I thought maybe when I set the session data, it's overriding the cookie, but why should it work sometimes? RE: CSRF Protection problem - stefanv - 03-06-2015 I have exactly the same problem and i can't reproduce it.. It happens completely random.. I tried it with database and file sessions, but since it's impossible to reproduce, i'm not sure if it's dependent on the session storage.. |