CodeIgniter Forums
wrong csrf cookie name? - Printable Version

+- CodeIgniter Forums (
+-- Forum: Archived Discussions (
+--- Forum: Archived Development & Programming (
+--- Thread: wrong csrf cookie name? (/thread-40843.html)

wrong csrf cookie name? - El Forum - 04-20-2011

I'm setting my csrf cookie and token in config.php as follows:

$config['csrf_token_name'] = 'csrf_token';
$config['csrf_cookie_name'] = 'csrf_cookie';

On my dev site, everything works fine. When I view the cookies on my prod site, the cookie is named ci_csrf_token. Why isn't it named csrf_token?

Other cookie config (with domain name changed, but structurally representative).

$config['cookie_prefix']    = "";
$config['cookie_domain']    = "";
$config['cookie_path']      = "/";
$config['cookie_secure']    = FALSE;


wrong csrf cookie name? - El Forum - 04-29-2011

I've had the same problem. When I checked the core "Security" class I noticed it never uses those two config values. In the constructor the cookie prefix is added but it doesn't use the "csrf_token_name" and "csrf_cookie_name" config values.

I added the following two lines to the constructor to solve this:
$this->_csrf_token_name = config_item('csrf_token_name');
$this->_csrf_cookie_name = config_item('csrf_cookie_name');

But this seems to be a bug no?

wrong csrf cookie name? - El Forum - 04-29-2011

Yes, thanks. It's a known bug.

The problem was that I had rolled back to 2.0.1 in my dev environment, but had not yet done so in my prod environment (which isn't actually in production yet)