CSRF makes problem on search page

CSRF makes problem on search page - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: CSRF makes problem on search page (/showthread.php?tid=63820)

CSRF makes problem on search page - ardavan - 12-12-2015

Hey guys,

I've created a search engine for my project and the CSRF_protection is TRUE for whole project.
At the menu bar i have login and signup button, which is needs CSRF to of the action.

I've disable the CSRF for search page because users will search for few things then maybe user wants to click on previous button (from browser) to see the previous search. If CSRF be TRUE will show the error page and i don't want it.
i disable the CSRF for only search page like this:

PHP Code:
$last_segment = explode('/', $_SERVER["REQUEST_URI"]);
if (end($last_segment) === 'results')
    { 
        $config['csrf_protection'] = FALSE; 
    }else{ 
        $config['csrf_protection'] = TRUE; 
    } 

now after doing this my login and signup doesn't works because the CSRF is FALSE.

who can help me in this to have search "without" CSRF and login/signup "with" CSRF ?

Thanks

RE: CSRF makes problem on search page - Happy Camper - 12-12-2015

Hello

I would say there is no need to use the code snippet you posted. Just enable CSRF protection in your config file and set 'csrf_exclude_uri' as required.

http://www.codeigniter.com/userguide3/libraries/security.html?highlight=csrf#cross-site-request-forgery-csrf

Hope this helps!

RE: CSRF makes problem on search page - ardavan - 12-13-2015

thanks for reply,

I didn't get what i wanted, maybe i did wrongly.
here is what i did:

PHP Code:
$config['csrf_exclude_uris'] = array('http://localhost/index.php/search/results'); 

But seems CSRF still is enable for my search form!

what I'm doing is:
(page1) Search1: test one
(page2) Search2: test two

when i go back to the search1 page by clicking on the previous button on browser, now i wanna search again:
(page1)Search3: test tree
Then ill get this:

Code:
An Error Was Encountered

The action you have requested is not allowed.

what i need is the search box working without CSRF and login link works with CSRF !

RE: CSRF makes problem on search page - scion - 12-13-2015

Hi! Why u just dont use GET for search? Then u will not have CSRF protection and problems with it Smile

RE: CSRF makes problem on search page - ardavan - 12-19-2015

(12-13-2015, 05:20 AM)scion Wrote: Hi! Why u just dont use GET for search? Then u will not have CSRF protection and problems with it

I'm trying to find a solution for this question not bypass the question. of course GET its okay but this is my challenge that i wanna do it Smile

RE: CSRF makes problem on search page - ardavan - 12-19-2015

Any Idea?