CodeIgniter Forums
CSRF 500 Error Bug - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: CSRF 500 Error Bug (/showthread.php?tid=51654)



CSRF 500 Error Bug - El Forum - 05-12-2012

[eluser]Unknown[/eluser]
Hi,

I've noticed that users with their computers' clock set a few days into the future can't properly submit my forms. If I turn off CSRF it works.

Is there a work around?

Thanks!


CSRF 500 Error Bug - El Forum - 05-12-2012

[eluser]Rok Biderman[/eluser]
It's not a bug, it's a feature. Insisting your server has properly configured time is also one of the few basics you can demand of your provider.

P.S.:Absolutely love the nickname.


CSRF 500 Error Bug - El Forum - 05-12-2012

[eluser]CroNiX[/eluser]
He was talking about visitors to the site, not the server.


CSRF 500 Error Bug - El Forum - 05-12-2012

[eluser]Unknown[/eluser]
Yes, the server time is correct, but I had one visitor in particular that couldn't log in. After a lot of frustration, we found out his clock was a month fast.

I think it has to do with the CRSF cookie time out. Would it be bad if I set the cookie to timeout a bit longer?

Also, are time zones accounted for in timeout values?

Thanks.


CSRF 500 Error Bug - El Forum - 05-12-2012

[eluser]InsiteFX[/eluser]
The cookie is stored on the client system, so if their time is off there is not much you can do about!

It's their error not yours.

Like here I will set my time a month ahead, how are you going to fix that?



CSRF 500 Error Bug - El Forum - 05-12-2012

[eluser]CroNiX[/eluser]
It's how CSRF is supposed to work. Increasing the time that much kind of defeats the purpose and leaves you a whole lot less protected. You can't control if some idiot user has his clock way off, just like you can't control if they turn cookies off, in which case a whole lot of sites wouldn't work for them including their banking. One thing you might do is amend the CSRF error message to be more friendly and add something about making sure their date/time is correct.