+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: form_open helper can't generate https: action link? (/showthread.php?tid=74734)
form_open helper can't generate https: action link? - hncal - 10-30-2019
CI 3.x. I want to use CI helper form_open() to generate a simple login form because it can do anti-csrf automagically. Looking at the first step:
<?php echo form_open("foo/fum");?>
...
But the generated code specifying the action
<form action="http://www.example.com/foo/fum" method="post" accept-charset="utf-8">
...
is flagged by SSL checker missingpadlock.com as insecure -- currently the only flaw on my almost-ready-to-deploy site. I think this should be
<form action="https://www.example.com/foo/fum" method="post" accept-charset="utf-8">
...
but I cannot see a way tell the helper to prefix 'https:'. Obvious workaround: don't use form_open(), just straight PHP code to generate the form, but this means learning how to explicitly generate the anti-csrf function -- which I don't feel qualified to do -- or not using it.
Am I missing something incredibly obvious? It's very possible...
Meta-question: The site's security needs are minimal: login and logged-in users can change their own password and view restricted material -- that's all. I'm using a standard auth package which incorporates anti-brute-force. Maybe I don't need anti-csrf. How would I decide?
TIA
RE: form_open helper can't generate https: action link? - dave friend - 10-31-2019
What is the value you have assigned $config['base_url']? It should include the protocol and should look something like
PHP Code:
$config['base_url'] = 'https://example.com/'; //note the trailing slash
And yes, you need CSRF protection. It's best to use this too.
PHP Code:
$config['csrf_regenerate'] = TRUE;
RE: form_open helper can't generate https: action link? - hncal - 11-02-2019
Thanks very much! That's what I needed to know!
--closed--