+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Codeigniter 2.0 CSRF Problem (/showthread.php?tid=36516)
Codeigniter 2.0 CSRF Problem - El Forum - 12-04-2010
[eluser]lennierb5[/eluser]
I had CSRF protection set to TRUE and ran into the following problem:
If my $config['base_url'] was set to something like "http://mydomain.com/myproject/" and I attempted to login / submit form data from the site http://www.mydomain.com/myproject/ it generates the error:
An Error Was Encountered
The action you have requested is not allowed.
The same thing happens if you try http://myip/myproject and try to submit data it seems like it must exactly match the hostname supplied in $config['base_url'].
Everything works fine if my hostname is exactly as supplied in the $config['base_url'].
Any ideas on how to fix this without turning off the CSRF protection?
Codeigniter 2.0 CSRF Problem - El Forum - 12-04-2010
[eluser]WanWizard[/eluser]
Fix your form actions, always construct them using base_url().
Codeigniter 2.0 CSRF Problem - El Forum - 12-04-2010
[eluser]lennierb5[/eluser]
My form action is correct since I use form_open() from the Form Helper. This problem arises when the base_url does not match where the user is currently. If the user is at http://mydomain.com/myproject and tries to login with a form action of http://www.mydomain.com/myproject or http://myip/myproject it produces the error.
Codeigniter 2.0 CSRF Problem - El Forum - 12-05-2010
[eluser]Twisted1919[/eluser]
Code:
if(isset($_SERVER['HTTP_HOST']))
{
$config['base_url'] = isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on' ? 'https' : 'http';
$config['base_url'] .= '://'. $_SERVER['HTTP_HOST'];
$config['base_url'] .= str_replace(basename($_SERVER['SCRIPT_NAME']), '', $_SERVER['SCRIPT_NAME']);
}
else
{
$config['base_url'] = 'http://localhost/';
}Codeigniter 2.0 CSRF Problem - El Forum - 12-05-2010
[eluser]lennierb5[/eluser]
I can see where something like this would work but is this working as intended where you have to make a script to determine your base_url host for the CSRF protection to work?
Codeigniter 2.0 CSRF Problem - El Forum - 12-05-2010
[eluser]WanWizard[/eluser]
How can the base_url be different from the host in the current URL? It shouldn't.
That still means you have a configuration issue. If you allow multiple hostnames to resolve to the same site, you have to use the code Twisted1919 posted (which looks quite familiar?), to make sure the base_url() always follows the hostname.
Codeigniter 2.0 CSRF Problem - El Forum - 12-06-2010
[eluser]Bastian Heist[/eluser]
Using two domains for the same application isn't such a good approach anyway. Why not just do a redirect from domain.com to www.domain.com and get rid of that problem?
Codeigniter 2.0 CSRF Problem - El Forum - 12-06-2010
[eluser]lennierb5[/eluser]
This really is only a problem with the initial login since all the links after that use the base_url. Since most sites can be accessed by www.thedomain.com , thedomain.com and sometimes their direct IP address I figured there would be something built into CI to recognize this. If the DNS doesn't resolve I still want users to be able to access the site via IP address if need be. I guess for this to work I will have to use the code above or disable the CSRF protection.