csrf_protection bug. Cant make it work

csrf_protection bug. Cant make it work - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: csrf_protection bug. Cant make it work (/showthread.php?tid=53521)

Pages: 1 2

csrf_protection bug. Cant make it work - El Forum - 07-30-2012

[eluser]CroNiX[/eluser]
And before I also suggested removing the underscore from all cookie names, not just the csrf token cookie name.

Regular cookies (session) too

csrf_protection bug. Cant make it work - El Forum - 07-30-2012

[eluser]rei[/eluser]

Code:
$config['cookie_prefix'] = "";

$config['cookie_domain'] = "";

$config['cookie_path']  = "/";

$config['cookie_secure'] = FALSE;

I also tried using this:

Code:
$config['cookie_prefix'] = "stalkme";

$config['cookie_domain'] = "elementfx.com";

$config['cookie_path']  = "/";

$config['cookie_secure'] = FALSE;

But still no luck

csrf_protection bug. Cant make it work - El Forum - 07-30-2012

[eluser]rei[/eluser]
I'm not using underscores in my session variables sir, because my session variables are just one word.

csrf_protection bug. Cant make it work - El Forum - 07-30-2012

[eluser]CroNiX[/eluser]
Your session config... I didn't mention anything about your variables.

csrf_protection bug. Cant make it work - El Forum - 07-30-2012

[eluser]rei[/eluser]
is this what you mean sir?

Code:
$config['sess_cookie_name'] = 'cisession';

I removed the underscore. Still no luck.

csrf_protection bug. Cant make it work - El Forum - 08-10-2012

[eluser]rei[/eluser]
UP. hello, anyone already knows a solution for this?

csrf_protection bug. Cant make it work - El Forum - 08-10-2012

[eluser]InsiteFX[/eluser]
Couple of things you can try.

Code:
// add this to your controller:

    $data = array(

        'csrf_hash' => $this->security->get_csrf_hash(),

        'csrf_name' => $this->security->get_csrf_token_name()

    );

// And change the hidden form field in your view to this:

&lt;input type="hidden" name="&lt;?php echo $csrf_name; ?&gt;" value="&lt;?php echo $csrf_hash; ?&gt;" /&gt;

Well check your IE cookie settings, IE has default cookie restrictions like not allowing session cookies.

1) IE menu click on Tools button then Internet options.
2) Click on the Privacy tab then click on the Advanced button.
3) Check the Override automatic cookie handling.
4) First-party Cookies Accept.
5) Third-party Cookies Accept.
6) Check the Always allow session cookies.

NOTES:

Beware of underscores in the hostname, because IE won't save cookies.