CodeIgniter Forums
wrong csrf cookie name? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forum-23.html)
+--- Thread: wrong csrf cookie name? (/thread-40843.html)



wrong csrf cookie name? - El Forum - 04-20-2011

[eluser]coolgeek[/eluser]
I'm setting my csrf cookie and token in config.php as follows:

Code:
$config['csrf_token_name'] = 'csrf_token';
$config['csrf_cookie_name'] = 'csrf_cookie';

On my dev site, everything works fine. When I view the cookies on my prod site, the cookie is named ci_csrf_token. Why isn't it named csrf_token?

Other cookie config (with domain name changed, but structurally representative).

Code:
$config['cookie_prefix']    = "";
$config['cookie_domain']    = ".mydomain.com";
$config['cookie_path']      = "/";
$config['cookie_secure']    = FALSE;

Thanks


wrong csrf cookie name? - El Forum - 04-29-2011

[eluser]Unknown[/eluser]
I've had the same problem. When I checked the core "Security" class I noticed it never uses those two config values. In the constructor the cookie prefix is added but it doesn't use the "csrf_token_name" and "csrf_cookie_name" config values.

I added the following two lines to the constructor to solve this:
$this->_csrf_token_name = config_item('csrf_token_name');
$this->_csrf_cookie_name = config_item('csrf_cookie_name');

But this seems to be a bug no?


wrong csrf cookie name? - El Forum - 04-29-2011

[eluser]coolgeek[/eluser]
Yes, thanks. It's a known bug.

The problem was that I had rolled back to 2.0.1 in my dev environment, but had not yet done so in my prod environment (which isn't actually in production yet)