CodeIgniter Forums
when csrf is true only works in firefox and not in other browser - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: when csrf is true only works in firefox and not in other browser (/showthread.php?tid=42413)

Pages: 1 2


when csrf is true only works in firefox and not in other browser - El Forum - 06-06-2011

[eluser]Javier Fonseca[/eluser]
Hello there! I'm new using this framework and i got a little issue here, I know there are a lot of post about it but most of them are old and no one of them have been really useful.

I'm using the last codeigniter 2.0.2. My application runs very well using firefox, but in Chrome i got An Error Was Encountered The action you have requested is not allowed.

I store the session info in the default "ci_session" table. My question is: Why if the session info is stored using chrome I'm not redirect after login? I think this is a kind of bug.

I started using codeigniter 2 weeks ago and it's kind of tricky and painful, I think a framework has to be "easy" to use.

Any help will be appreciated!


when csrf is true only works in firefox and not in other browser - El Forum - 06-07-2011

[eluser]adityamenon[/eluser]
Hee hee good joke. But I really do hope you are kidding. CI is painful to use? Are you looking for a flame war? You came on to the forum of CodeIgniter, and made accusations without basis. Just HOW much more easy can a framework get! Currently, there are no frameworks that support this:

Code:
$object = new frameworkObject();

$object.createMySiteNoHardWork('facebook_type');

$object.throwInSomeFeatures('twitter_like_interface');



when csrf is true only works in firefox and not in other browser - El Forum - 06-07-2011

[eluser]LuckyFella73[/eluser]
It's kind of impossible to help you without seeing any code.
Please post all related code (using CODE TAGS) so nobody has
to guess.
Sidenote: using CI should get quite "easy" to use as soon as
you get a bit more familiar how it works.


when csrf is true only works in firefox and not in other browser - El Forum - 06-07-2011

[eluser]Clooner[/eluser]
There are some tricks to working with sessions. check this old post http://ellislab.com/forums/viewthread/157468/ maybe that will help


when csrf is true only works in firefox and not in other browser - El Forum - 06-07-2011

[eluser]Javier Fonseca[/eluser]
Hey take it easy! I was joking about "painful" :-) , anyway the help is required.

Quote:Sidenote: using CI should get quite “easy” to use as soon as
you get a bit more familiar how it works.

I agree!.

Quote:There are some tricks to working with sessions. check this old post http://ellislab.com/forums/viewthread/157468/ maybe that will help

Hi Jeroen Schaftenaar, I tryed it but it still yield the error.

Here is my config code:

[code]<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

/*
|--------------------------------------------------------------------------
| Base Site URL
|--------------------------------------------------------------------------
|
*/
$config['base_url'] = 'http://www.suemp.com/goen/';

/*
|--------------------------------------------------------------------------
| Index File
|--------------------------------------------------------------------------
*/
$config['index_page'] = '';

/*
|--------------------------------------------------------------------------
| URI PROTOCOL
|--------------------------------------------------------------------------
*/
$config['uri_protocol'] = 'REQUEST_URI';



/*
|--------------------------------------------------------------------------
| Session Variables
|--------------------------------------------------------------------------
*/
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_expire_on_close'] = FALSE;
$config['sess_encrypt_cookie'] = FALSE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name'] = 'ci_sessions';
$config['sess_match_ip'] = FALSE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 300;

/*
|--------------------------------------------------------------------------
| Cookie Related Variables
|------------------------------------------
$config['cookie_prefix'] = "";
$config['cookie_domain'] = "";
$config['cookie_path'] = "/";
$config['cookie_secure'] = FALSE;

/*
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------

*/
$config['global_xss_filtering'] = TRUE;

/*
|--------------------------------------------------------------------------
| Cross Site Request Forgery
|--------------------------------------------------------------------------

*/
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;


when csrf is true only works in firefox and not in other browser - El Forum - 06-07-2011

[eluser]Clooner[/eluser]
Remove the underscore from sess_cookie_name
Code:
$config['sess_cookie_name'] = ‘ci_session’;
// no underscores!
$config['sess_cookie_name'] = ‘sessionname’;



when csrf is true only works in firefox and not in other browser - El Forum - 06-07-2011

[eluser]LuckyFella73[/eluser]
You didn't read the thread Jeroen Schaftenaar posted via link!
Line 5 says remove underscore and you left the cookie_domain empty.

Code:
$config['cookie_domain'] = ($_SERVER['SERVER_NAME'] == 'localhost' ? '' : preg_replace('/^www\./', '', $_SERVER['SERVER_NAME']));

I recommend to set cookie encryption to TRUE - don't forget to set the
encryption key in config.php then.


when csrf is true only works in firefox and not in other browser - El Forum - 06-07-2011

[eluser]Javier Fonseca[/eluser]
I get error when I try to login or signup a new user.

Code:
<?php

class Inicio extends CI_Controller {

    public function __construct()
       {
            parent::__construct();
            session_start();
            $this->load->model('feed_model');
            $this->load->model('membresia');
            $this->load->library('form_validation');
            
            
       }
    function index()
    {
        
        $data['query'] = $this->feed_model->getAllRows();
        $this->load->view('inicio_view', $data);
    }
    
    function inicio_usuario()
    {
        $data['query'] = $this->feed_model->getAllRows();
        $this->load->view('inicio/inicioUsuarios', $data);
        
    }
    
    function evento()
    {
        $data['query'] = $this->feed_model->geteventos();
        $this->load->view('inicio/eventos', $data);
    }
    
    function post() //not tested yet
    {
        $id = $this->uri->segment(3);
        $data['verificar'] = $this->feed_model->vcom($id);
        $data['post'] = $this->feed_model->getpost($id);
        $data['comentario'] = $this->feed_model->getcomentarios($id);
        
        $this->load->view('inicio/post',$data);
        
        $this->form_validation->set_rules('comentario', 'Coemntario', 'trim|required');
        
        
        
    if($this->form_validation->run() !== FALSE)
        
        {            
            $this->load->helper('date');
            
            $now = time();
            
            $this->feed_model->comentar(
                                $this->input->post('idpost'),
                                $this->session->userdata('username'),
                                $this->input->post('comentario'),
                                unix_to_human($now));
            redirect('inicio/post/'.$id);
            
        }
    
    }
    function nuevoUsuario()
    {


        
        // field name, error message, validation rules
        $this->form_validation->set_rules('nombre', 'Nombre', 'trim|required');
        $this->form_validation->set_rules('apellido', 'Apellido', 'trim|required');
        $this->form_validation->set_rules('correo', 'Correo', 'trim|required|valid_email');
        $this->form_validation->set_rules('usuario', 'Usuario', 'trim|required|min_length[6]');
        $this->form_validation->set_rules('password', 'Contraseña', 'trim|required|min_length[6]|max_length[32]');
        $this->form_validation->set_rules('password2', 'Confirmar Contraseña', 'trim|required|matches[password]');
        
        
    if($this->form_validation->run() == FALSE)
        {
            redirect('inicio/signup');
        }
        
        else
        {            
            $data = array(
                'Nombre' => $this->input->post('nombre'),
                'Apellido' => $this->input->post('apellido'),
                'Correo' => $this->input->post('correo'),            
                'Usuario' => $this->input->post('usuario'),
                'Contraseña' => md5($this->input->post('password')),
                'tipo' => 2                        
            );
                
            $q = $this->membresia->registrarse($data);
                    
            if($q == true)
            {
                redirect('inicio/bienvenida');
            }
            
            
        }
            
    }            
    
    function login()
    {
        $this->load->view('inicio/login_form');
        
    }
    
    function loginin()
    {
        
        $this->form_validation->set_rules('username','','required');
        $this->form_validation->set_rules('password','','required|min_length[6]');
        
        
        if($this->form_validation->run() !== false)
        {
            
            $res = $this
                ->membresia
                ->verificarUsuario(
                $this->input->post('username'),
                $this->input->post('password')
                );
                
            if( $res !== false)
            {
                $_SESSION['usuario'] = $this->input->post('username');
                
                $data = array(
                'username' => $this->input->post('username'),
                'is_logged_in' => true
                );
                $this->session->set_userdata($data);
                if($res->tipo == 1)
                {
                    
                    redirect('cms');
                }
                else
                {
                    redirect('inicio/inicio_usuario');
                }
                
            }
        
        }
        else
            {
                redirect('inicio/login_form');
            }
    }
    
    function olvido()
    {
        $this->form_validation->set_rules('correo', 'Correo', 'trim|required|valid_email');
        
        
        if($this->form_validation->run() !== false)
        {
            redirect('inicio');
        }
        else
        {
            $this->load->view('inicio/olvido');
        }
    }
    
    function logout()
    {
        session_destroy();
        redirect('inicio');
    }
    
    
    
}



when csrf is true only works in firefox and not in other browser - El Forum - 06-07-2011

[eluser]LuckyFella73[/eluser]
Did you try to avoid special characters:
Code:
'Contraseña' => md5($this->input->post('password')), // ñ -> n

Maybe that causes the error?


when csrf is true only works in firefox and not in other browser - El Forum - 06-07-2011

[eluser]Javier Fonseca[/eluser]
I already set my configuration like this:
Code:
$config['sess_cookie_name']        = 'cisession';
$config['sess_expiration']        = 7200;
$config['sess_expire_on_close']    = FALSE;
$config['sess_encrypt_cookie']    = TRUE;
$config['sess_use_database']    = TRUE;
$config['sess_table_name']        = 'ci_sessions';
$config['sess_match_ip']        = FALSE;
$config['sess_match_useragent']    = TRUE;
$config['sess_time_to_update']    = 300;

/*
|--------------------------------------------------------------------------
| Cookie Related Variables
|--------------------------------------------------------------------------
|
| 'cookie_prefix' = Set a prefix if you need to avoid collisions
| 'cookie_domain' = Set to .your-domain.com for site-wide cookies
| 'cookie_path'   =  Typically will be a forward slash
| 'cookie_secure' =  Cookies will only be set if a secure HTTPS connection exists.
|
*/
$config['cookie_prefix']    = "";
$config['cookie_domain']    = ($_SERVER['SERVER_NAME'] == 'localhost' ? '' : preg_replace('/^www\./', '',
$_SERVER['SERVER_NAME']));
$config['cookie_path']        = "/";
$config['cookie_secure']    = FALSE;

The cookie ecnryption is TRUE and the encryption key is set too but still getting error.
Take a look to my .htaccess code, I dont know if this could help

Code:
Options +FollowSymLinks
Options -Indexes
DirectoryIndex index.php
RewriteEngine on
RewriteCond $1 !^(index\.php|img|css|js|robots\.txt|favicon\.ico)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L,QSA]