CodeIgniter Forums
Community Auth Token Name - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: External Resources (https://forum.codeigniter.com/forumdisplay.php?fid=7)
+--- Forum: Addins (https://forum.codeigniter.com/forumdisplay.php?fid=13)
+--- Thread: Community Auth Token Name (/showthread.php?tid=69785)

Pages: 1 2


Community Auth Token Name - reesethebeast - 01-17-2018

I am using Codeigniter 3 and Community Auth. My login was working fine until I recently turned off CI CSRF due to AJAX issues and I am now using the tokens helper.

All of my JQuery code references a specific token name, let's call it my_token. So I want to continue to use this token name versus Community Auth's default token name "token". I am using form_open() on my login form and I added a hidden element for my_token and I changed the Community Auth token name in /application/third_party/community_auth/config/authentication.php to "my_token".

When I try to log in nothing happens. When I check the log file, the submitted form token is not in the jar. I've tried several changes to get this to work, however it only works if I leave the token name as "token". Am I missing some other setting? My site is live so any help would be greatly appreciated.

DEBUG - 2018-01-18 01:57:52 -->
string = myusername
password = abc123
form_token = e03cc701
token_jar = {"0":"f0c0d018","1":"e1610819","2":"8e9a3ac9","3":"3fa0bedb","4":"35144229","5":"579e4e9d","6":"8097b9a7","7":"3330737d","8":"34814180","9":"2835bd8c","11":"7d232b67"}


RE: Community Auth Token Name - skunkbad - 01-18-2018

I think this needs a look, but if I recall correctly, the login token is different because if it was the same as your other forms CA might think you other form post is a login attempt. Give me a couple days to look at this, and see what I can do.


RE: Community Auth Token Name - reesethebeast - 01-18-2018

(01-18-2018, 12:27 AM)skunkbad Wrote: I think this needs a look, but if I recall correctly, the login token is different because if it was the same as your other forms CA might think you other form post is a login attempt. Give me a couple days to look at this, and see what I can do.

OK, thank you. Based on your comments, I think in the mean time that I will change the name back to token and modify the Auth form helper to add hidden element my_token as well, when using form_open().


RE: Community Auth Token Name - reesethebeast - 01-18-2018

Modifying /community_auth/helpers/MY_form_helper.php for now has resolved the issue.

I added $form .= '<input type="hidden" name="my_token" value="'.html_escape($value).'" style="display:none;" />'."\n"; right before return $form;.

If this needs to be a permanent solution, I will add a custom CI config variable for the name versus hard coding.


RE: Community Auth Token Name - skunkbad - 01-18-2018

(01-18-2018, 08:14 AM)reesethebeast Wrote: Modifying /community_auth/helpers/MY_form_helper.php for now has resolved the issue.

I added $form .= '<input type="hidden" name="my_token" value="'.html_escape($value).'" style="display:none;" />'."\n"; right before   return $form;.

If this needs to be a permanent solution, I will add a custom CI config variable for the name versus hard coding.

I'd still like to take a look at CA and see what needs to be done. I just need to make the time to do it. I can't say what the solution is, but maybe CA should not allow for the login token to be renamed as a config var. As the name is hard coded into the Authentication library, its that way because the Authentication library needs a unique name. I think what you're asking is, do we need two token names ... and the answer may be yes.


RE: Community Auth Token Name - reesethebeast - 01-18-2018

(01-18-2018, 09:04 AM)skunkbad Wrote:
(01-18-2018, 08:14 AM)reesethebeast Wrote: Modifying /community_auth/helpers/MY_form_helper.php for now has resolved the issue.

I added $form .= '<input type="hidden" name="my_token" value="'.html_escape($value).'" style="display:none;" />'."\n"; right before   return $form;.

If this needs to be a permanent solution, I will add a custom CI config variable for the name versus hard coding.

I'd still like to take a look at CA and see what needs to be done. I just need to make the time to do it. I can't say what the solution is, but maybe CA should not allow for the login token to be renamed as a config var. As the name is hard coded into the Authentication library, its that way because the Authentication library needs a unique name. I think what you're asking is, do we need two token names ... and the answer may be yes.

Thanks for the reply. Yes, I think 2 tokens are needed or at least 2 names. This solution is working for now and I will await the results of your research.


RE: Community Auth Token Name - reesethebeast - 01-18-2018

(01-18-2018, 09:29 AM)reesethebeast Wrote:
(01-18-2018, 09:04 AM)skunkbad Wrote:
(01-18-2018, 08:14 AM)reesethebeast Wrote: Modifying /community_auth/helpers/MY_form_helper.php for now has resolved the issue.

I added $form .= '<input type="hidden" name="my_token" value="'.html_escape($value).'" style="display:none;" />'."\n"; right before   return $form;.

If this needs to be a permanent solution, I will add a custom CI config variable for the name versus hard coding.

I'd still like to take a look at CA and see what needs to be done. I just need to make the time to do it. I can't say what the solution is, but maybe CA should not allow for the login token to be renamed as a config var. As the name is hard coded into the Authentication library, its that way because the Authentication library needs a unique name. I think what you're asking is, do we need two token names ... and the answer may be yes.

Thanks for the reply. Yes, I think 2 tokens are needed or at least 2 names. This solution is working for now and I will await the results of your research.

Sorry, I spoke too soon. It looks like any AJAX request is now killing my session/logging me out.


RE: Community Auth Token Name - skunkbad - 01-18-2018

I made two commits this morning:

https://bitbucket.org/skunkbad/community-auth-for-codeigniter-3/commits/all

These commits have not been merged into the master branch, but you could test them out and tell me what your experience is.


RE: Community Auth Token Name - reesethebeast - 01-18-2018

Thanks. I will implement these changes and test.


RE: Community Auth Token Name - reesethebeast - 01-18-2018

Skunkbad,

After some trial and error, I just decided to change all of my AJAX code to use token versus my_token. This seems to work, for the first submission.

In a previous forum post of mine you stated "Since using a token removes it from the array of tokens, if you are using AJAX then you need to pass back a new token, and apply it to the hidden form element. You get a new token with $this->tokens->token();".

I have a table of records and a delete button on each row. As the first deletion works and the subsequent clicks fails, this means the token was removed from the jar. So based on your statement, I should pass back a new token from the AJAX call in my JSON response and update (via JQuery) the current hidden form element to contain the new token value, correct?