CodeIgniter Forums
csrf cookie notice - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forum-23.html)
+--- Thread: csrf cookie notice (/thread-51313.html)



csrf cookie notice - El Forum - 04-29-2012

[eluser]ExWizzard[/eluser]
So i enabled csrf and i extended the csrf_show_error() function and removed the show_error() part so when the cookie expires, the form will just be submitted again and a new cookie will be generated instead of showing the error, everything works great but i get that notice in the log and im wondering if there is something wrong or just harmless notice, i did rename the cookie in the config to csrf_u_cookie



Code:
<?php if (! defined('BASEPATH')) exit('No direct script access allowed');

class MY_Security extends CI_Security {

    public function __construct()
    {
        parent::__construct();
    }

    public function csrf_show_error()
    {
        //show_error('The action you have requested is not allowed.' );
        log_message('info', 'CSRF expired');
    }

}
?>



Code:
INFO  - 2012-04-29 15:55:55 --> CSRF expired
ERROR - 2012-04-29 15:55:55 --> Severity: Notice  --> Undefined index: csrf_u_cookie /system/core/Security.php 147
INFO  - 2012-04-29 15:55:55 --> CSRF expired
DEBUG - 2012-04-29 15:55:55 --> CRSF cookie Set
DEBUG - 2012-04-29 15:55:55 --> CSRF token verified



csrf cookie notice - El Forum - 05-03-2012

[eluser]vrencianz[/eluser]
Browsers don't send expired cookies to web servers. If such a think happens then you are a CSRF attack victim or a hacker tries to re-send an expired cookie (who knows why?).

Sp, think twice before implement such a functionality Smile.


csrf cookie notice - El Forum - 05-03-2012

[eluser]ExWizzard[/eluser]
Any idea then how i would make it so the user does not see the show_error() then? Its kinda "negative" and a user might get upset or something and never come back. I did bump the expire time to 24h


csrf cookie notice - El Forum - 05-03-2012

[eluser]vrencianz[/eluser]
Sorry, I am a bit confused Smile.

Could you submit a sample code, please? In a normal scenario that error must not

Be sure that <b>form_open()</b> is used to generate the form tag in your view?


csrf cookie notice - El Forum - 05-03-2012

[eluser]ExWizzard[/eluser]
Yes its form_open(), if a user uses the form, and then on that same page deletes his cookies (or let them expire), they will get the error


csrf cookie notice - El Forum - 05-03-2012

[eluser]CroNiX[/eluser]
Not much you can do if a user chooses to delete their cookies while in session... 99.99999% of visitors wouldn't ever do that.


csrf cookie notice - El Forum - 05-03-2012

[eluser]skunkbad[/eluser]
If somebody goes to your page with the form, then waits so long to submit the form that they have problems with cookie expiration, then that's not really your problem. If you are worried about it, maybe you can use javascript to put a click event on all form elements, test if the cookie has expired, then alert the user that their form will not post correctly and to refresh the page (or login). Another idea would be to a monitor on the page letting the user know that their session was going to expire, and if it expires they get redirected somewhere.


csrf cookie notice - El Forum - 05-04-2012

[eluser]ExWizzard[/eluser]
Thanks for the good suggestions