CodeIgniter Forums
CSRF Protection problem - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forum-5.html)
+--- Forum: General Help (https://forum.codeigniter.com/forum-24.html)
+--- Thread: CSRF Protection problem (/thread-1382.html)



CSRF Protection problem - Urastor - 03-05-2015

Hey there, Smile

I have a small problem with csrf protection. I'm using csrf protection for my login site, to login.
Sometimes i get an error:

"An Error Was Encountered
The action you have requested is not allowed."

I'm using the form-helper, to create an proper form.
I have no problems on my localhost, it only happens on the live website.
I have absolutly no idea how I can solve this problem.. could anybody give me suggestions.


RE: CSRF Protection problem - Avenirer - 03-05-2015

Maybe this is due to the expiration of csrf token?


RE: CSRF Protection problem - Urastor - 03-05-2015

(03-05-2015, 02:50 PM)Avenirer Wrote: Maybe this is due to the expiration of csrf token?

I don't think so. It happens very randomly, so even if i deleted the cookies manully, it happens. I struggling with this problem for quite some time now, and normally I did ignored it, but sometimes my users need 10-15 trials to just connect, what is really annoying.

I thought it has something to do with the codeigniter version, because it began to occur on version 3.x.

Currently I'm using the relase-candidate 2. s:

Maybe it's helpful to say what I tried before:

- renaming the csrf tooken name and cookie name ( tried not to use _ or -, so for example "mycsrfcookie" )
- disabled csrf, just to test if this is really the problem: it is Big Grin
- instead of writing the form with the form-helper i tried sth. like this:
Code:
<input type="hidden" name="<?php echo $this->security->get_csrf_token_name(); ?>" value="<?php echo $this->security->get_csrf_hash();?>" />
(not working either)


For information, I don't use ajax there.

Maybe it would help if I provide a little piece of code:

login-controller-method:
Code:
       [...]
       $this->load->library( 'form_validation' );
       $this->form_validation->set_rules( $this->user->get_validation_rules() );
       
       if( TRUE === $this->form_validation->run() ) {                
           if( TRUE === $this->user->login() ) {
               redirect( base_url( 'dashboard' ) );  
           } else {
               $this->session->set_flashdata( 'login_msg', $this->lang->line( 'login_wrong_combi' ) );
               redirect( base_url( 'login' ) );
           }
       }
       [...]

user-model-method (the controller referes to by using $this->user):
Code:
   public function login()
   {
       $user = $this->db->get_where( $this->table, array( 'name' => strtolower( $this->input->post( 'user' ) ) ) )->row();
       
       if( 0 >= count( $user ) )
           return false;
       
       if( ! $this->passwordhash->CheckPassword( $this->input->post( 'password' ), $user->password ) )
           return false;      
       
       if( false === ( $role = $this->simple_auth->getSA()->getRole( $user->role ) ) )
           show_error( "User role '" . $user->role . "' is not defined!" );

       $data = array(
               'id'        => $user->id,
               'name'      => $user->name,
               'logged_in' => true,
               'role'      => $user->role
       );
       
       $this->session->set_userdata( $data );    
       return true;
   }

Just a short explanation:
If the user could be validated and verified, he's sent to the "dashboard" otherwise he's redirected to the login site again.

I thought maybe when I set the session data, it's overriding the cookie, but why should it work sometimes?


RE: CSRF Protection problem - stefanv - 03-06-2015

I have exactly the same problem and i can't reproduce it.. It happens completely random..

I tried it with database and file sessions, but since it's impossible to reproduce, i'm not sure if it's dependent on the session storage..