CodeIgniter Forums
[Solved] Any thing better than CSRF - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: General (https://forum.codeigniter.com/forum-1.html)
+--- Forum: Lounge (https://forum.codeigniter.com/forum-3.html)
+--- Thread: [Solved] Any thing better than CSRF (/thread-66907.html)

Pages: 1 2


[Solved] Any thing better than CSRF - wolfgang1983 - 12-16-2016

Hello,

I would like to know what would be better than codeigniter CSRF

Because I tried setting up documentation way but still get error the action you have requested is not allowed. I don't like Codeigniter CSRF

If I use some thing like https://www.google.com/recaptcha/intro/

Is that OK or what else would I need.


RE: Any thing better than CSRF - PaulD - 12-16-2016

No, I think it would not work as csrf in all circumstances.

For instance it might work on a login screen. Fine. But CSRF is a problem much deeper than login. It exploits the trust a site has for a user, making it seem like a request that was not issued by the user intentionally was sent by the user to a site they happen to be logged into.

So you would need robot checking on every form. Imagine an admin screen. You might have fifty pages with forms on them. Each page would say 'am I a human' and worse, challenge the user every five minutes with a 'what is this text' type question every time it decided it was not sure if it was a human still.

So yes, it would work on a single form, preferably on a contact form or a login form, the sort of place you want that sort of check, as you do not want a robot pumping away trying emails and passwords endlessly. However, CSRF is about making sure all, and any post, from your site is from a form that was actually delivered from your server. Especially when a user is logged in genuinely.

Personally, for me CSRF has always worked perfectly and as intended. I have never had any issues with it at all. Even with ajax it is quite straight forward to work with.

Best wishes,

Paul.


RE: Any thing better than CSRF - wolfgang1983 - 12-16-2016

(12-16-2016, 11:44 AM)PaulD Wrote: No, I think it would not work as csrf in all circumstances.

For instance it might work on a login screen. Fine. But CSRF is a problem much deeper than login. It exploits the trust a site has for a user, making it seem like a request that was not issued by the user intentionally was sent by the user to a site they happen to be logged into.

So you would need robot checking on every form. Imagine an admin screen. You might have fifty pages with forms on them. Each page would say 'am I a human' and worse, challenge the user every five minutes with a 'what is this text' type question every time it decided it was not sure if it was a human still.

So yes, it would work on a single form, preferably on a contact form or a login form, the sort of place you want that sort of check, as you do not want a robot pumping away trying emails and passwords endlessly. However, CSRF is about making sure all, and any post, from your site is from a form that was actually delivered from your server. Especially when a user is logged in genuinely.

Personally, for me CSRF has always worked perfectly and as intended. I have never had any issues with it at all. Even with ajax it is quite straight forward to work with.

Best wishes,

Paul.

I just can't seem to get CSRF to work each time I submit it throws that error I mentioned I also use form_open_multipart()

PHP Code:
<?php

class Thread extends MX_Controller {

    private 
$pre_message;

    public function 
__construct() {
        
parent::__construct();
        
$this->load->library('form_validation');
        
$this->load->library('parsedown');
        
$this->load->model('catalog/qna/thread_model');
        
$this->load->model('catalog/qna/category_model');
        
$this->load->model('catalog/qna/forum_model');
    }

    public function 
add($forum_id) {
        
$this->form_validation->set_rules('subject''subject''required|min_length[5]|max_length[120]');
        
$this->form_validation->set_message('required''This thread {field} is required!');

        if (
$this->form_validation->run() == true) {

            if (
$this->input->post('preview')) {

                
$post_tmp_info $this->thread_model->get_tempory_post($this->input->post('my_post_key'), $forum_id);

                if (
$this->input->post('my_post_key') == $post_tmp_info['posting_id']) {

                    
$data = array(
                        
'forum_id' => $forum_id,
                        
'subject' => $this->input->post('subject'),
                        
'message' => $this->input->post('message')
                    );

                    
$this->db->where('posting_id'$this->input->post('my_post_key'));
                    
$this->db->update('post_tmp'$data);

                } else {

                    
$data = array(
                        
'posting_id' => $this->input->post('my_post_key'),
                        
'forum_id' => $forum_id,
                        
'subject' => $this->input->post('subject'),
                        
'message' => $this->input->post('message')
                    );

                    
$this->db->insert('post_tmp'$data);
                }

            }

        }        

        
$this->get_form($forum_id);
    }

    public function 
edit($forum_id) {

        
$this->get_form($forum_id);
    }

    public function 
index() {

    }

    public function 
get_form($forum_id) {
        

        if (
form_error('subject')) {
            
$data['error_subject'] = form_error('subject');
        } else {
            
$data['error_subject'] = '';
        }

        
$thread_info '';

        if (
$this->uri->segment(1) == 'newthread') {
            
$data['action'] = 'newthread/' $forum_id;
            
$data['is_edit'] = false;
        }

        if (
$this->uri->segment(1) == 'editpost') {
            
$data['action'] = 'editpost/';
            
$data['is_edit'] = true;
            
$thread_info $this->thread_model->get_post($this->uri->segment(2));
        }

        
$post_tmp_info $this->thread_model->get_tempory_post($this->input->post('my_post_key'), $forum_id);


        
$this->parsedown->setLiteralBreaks(true);

        if (
$this->input->post('preview')) {
            
$data['my_post_key'] = $this->input->post('my_post_key');
            
$data['pre_message'] = $this->parsedown->text($post_tmp_info['message']);
        } else {
            
$data['my_post_key'] = $this->generateRandomString(15);
            
$data['pre_message'] = '';
        }

        if (
$this->input->post('message')) {
            
$data['message'] = $this->input->post('message');
        } else if (!empty(
$thread_info)) {
            
$data['message'] = $thread_info['message'];
        } else {
            
$data['message'] = '';
        }

        
$data['header'] = Modules::run('catalog/common/header/index');
        
$data['footer'] = Modules::run('catalog/common/footer/index');

        
$this->load->view('template/qna/thread_form'$data);
    }

    function 
generateRandomString($length 10) {
     
   $characters '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
     
   $charactersLength strlen($characters);
     
   $randomString '';
     
   for ($i 0$i $length$i++) {
     
       $randomString .= $characters[rand(0$charactersLength 1)];
     
   }
     
   return $randomString;
    }




RE: Any thing better than CSRF - PaulD - 12-16-2016

Does the CSRF work when you use a simple form_open ?

Edit: I presume everything works fine when you turn off the CSRF for your code.

Edit 2: I have not actually built a CI site in ages but am just building two now with latest version (a large shop and a smaller product design shop) - however I doubt I will need multi part forms. Everything seems just as always so far except admittedly I have not started using the CSRF yet. I very much doubt and do not expect a bug in that though. I will switch it on tomorrow and see if anything unexpected happens.

Edit 3: I must admit I do love the google 'I am a human' checkbox :-)but Ido not like their captcha system - it is often so difficult even I struggle with it sometimes. Have you played the recordings - even worse than the text.


RE: Any thing better than CSRF - wolfgang1983 - 12-16-2016

(12-16-2016, 03:57 PM)PaulD Wrote: Does the CSRF work when you use a simple form_open ?

Edit: I presume everything works fine when you turn off the CSRF for your code.

Edit 2: I have not actually built a CI site in ages but am just building two now with latest version (a large shop and a smaller product design shop) - however I doubt I will need multi part forms. Everything seems just as always so far except admittedly I have not started using the CSRF yet. I very much doubt and do not expect a bug in that though. I will switch it on tomorrow and see if anything unexpected happens.

Edit 3: I must admit I do love the google 'I am a human' checkbox :-)but Ido not like their captcha system - it is often so difficult even I struggle with it sometimes. Have you played the recordings - even worse than the text.

Yes the CSRF works when have form_open and form_open_mulitpart the issue is when I submit form It regenerate a new token and makes it throw error. error the action you have requested is not allowed I can't find away on my controller so I can stop if from throwing error. I followed this way https://www.codeigniter.com/user_guide/libraries/security.html#cross-site-request-forgery-csrf also

Such a pain

PHP Code:
$config['cookie_prefix']    = '';
$config['cookie_domain']    = '';
$config['cookie_path']        = '/';
$config['cookie_secure']    = FALSE;
$config['cookie_httponly']     = FALSE;

$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array(); 



RE: Any thing better than CSRF - Diederik - 12-17-2016

I remember I ran into such an issue a while ago. Turned out I made some misrake where it ran form / csrf validation twice. So the first check regenerated the csrf key so the secind pass would always return false... Perhaps you could try finding such a case in your code. To trace this case I put some debug echo code in the core form validation/csrf files.


RE: Any thing better than CSRF - wolfgang1983 - 12-17-2016

(12-17-2016, 02:30 AM)Diederik Wrote: I remember I ran into such an issue a while ago. Turned out I made some misrake where it ran form / csrf validation twice. So the first check regenerated the csrf key so the secind pass would always return false... Perhaps you could try finding such a case in your code. To trace this case I put some debug echo code in the core form validation/csrf files.
My form I have to submit button's one for previewing post and one for submitting it. I don't think that would cause issue would it.


RE: Any thing better than CSRF - skunkbad - 12-17-2016

I use my own tokens library, as it's like CI's CSRF functionality, but it allows for an array of tokens, and prevents some of the frustration involved with CI's CSRF. It's part of Community Auth, so you can see it there if you like.


RE: Any thing better than CSRF - wolfgang1983 - 12-17-2016

(12-17-2016, 03:23 PM)skunkbad Wrote: I use my own tokens library, as it's like CI's CSRF functionality, but it allows for an array of tokens, and prevents some of the frustration involved with CI's CSRF. It's part of Community Auth, so you can see it there if you like.


Yea I think using your own good. Just have always had issues with CI CSRF and form validation mixed together on controller side not ajax. don't think will bother using codeigniter CSRF.

Not many tutorials on how to properly set up CSRF with form validation and submitting on controller and not ajax


RE: Any thing better than CSRF - kenjis - 12-17-2016

How about setting `$config['csrf_regenerate'] = FALSE;`?