+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forumdisplay.php?fid=30)
+--- Thread: Error at Login - "The action you requested is not allowed (/showthread.php?tid=86539)
Pages:
1
2
Error at Login - "The action you requested is not allowed - spreaderman - 01-31-2023
I recently copied my website from one domain to another. Unfortunatley, login does work anymore. In the session dir, I can see this the ci_session txt file:
__ci_last_regenerate|i:[snip number];error|s:40:"The action you requested is not allowed.";__ci_vars|a:1:{s:5:"error";s:3:"new";}
Not sure how to debug this or the meaning of the error message. Any pointers appreciated.
When I moved over the site, I did delete all session ids.
Running https only on both sites.
RE: Error at Login - "The action you requested is not allowed - kenjis - 01-31-2023
It is the error message when CSRF token check fails.
See https://codeigniter4.github.io/CodeIgniter4/libraries/security.html#cross-site-request-forgery-csrf
RE: Error at Login - "The action you requested is not allowed - spreaderman - 02-02-2023
(01-31-2023, 09:16 PM)kenjis Wrote: It is the error message when CSRF token check fails.
See https://codeigniter4.github.io/CodeIgniter4/libraries/security.html#cross-site-request-forgery-csrf
Hi Kenjis, many thanks for that link. I have read through it again. I cannot find my error. The code is a copy from another website that works. I merely changed the domain. Both use ssl, env changed domains, deleted all session just to be safe. I checked that the forms on both sites are identical and that the token is included in the form in both sites. I only except an Api and Admin route per below. Files permissions and ownership checked and are identical (drwxr-xr-x 2 www-data www-data 1327104 Feb 2 04:29 session). Any think I am missing. Much appreciate your feedback.
public $globals = [
'before' => [
'csrf' => ['except' =>
['Api/*', 'Admin/*'],
],
],
'after' => [
'toolbar',
],
];
RE: Error at Login - "The action you requested is not allowed - kenjis - 02-02-2023
When you try to login, what happens?
Unfortunately I cannot see your screen, so
"login does work anymore" shows nothing to me.
RE: Error at Login - "The action you requested is not allowed - spreaderman - 02-02-2023
(02-02-2023, 03:20 AM)kenjis Wrote: When you try to login, what happens?
Unfortunately I cannot see your screen, so
"login does work anymore" shows nothing to me.
Here is my login form;
Code:
<?= $this->extend('__templates/user_public/bootswatch'); ?>
<?= $this->section('title'); ?>Login<?= $this->endSection(); ?>
<?= $this->section('content'); ?>
<div class="container">
<?php
$form = array(
'class' => 'form-control border-0',
);
$email = array(
'name' => 'email',
'id' => 'floatingInput',
'value' => old('email'),
'style' => '',
'class' => 'form-control',
'placeholder' => '[email protected]'
);
$password = array(
'name' => 'password',
'id' => 'floatingInput',
'type' => 'password',
'style' => '',
'class' => 'form-control',
);
?>
<div class="form-group">
<?= form_open('/login', $form); ?>
<!-- show errors -->
<?php echo bootstrapAlert(); ?>
<h1>Login</h1>
<label class="form-label mt-4">Please log in</label>
<div class="form-floating col-md-5 mt-4">
<?= form_input($email); ?>
<label for="floatingInput">Email Address</label>
</div>
<div class="form-floating col-md-5 mt-4">
<?= form_password($password); ?>
<label for="floatingPassword">Password</label>
</div>
<div class="lfloat mt-4">
<button class="btn btn-primary">Login</button> <a href="/password/forgot">Forgot Password?</a>
</div>
</form>
</div>
</div> <!-- end container -->
<?= $this->endSection(); ?>This is my route;
Code:
$routes->match(['get', 'post'], '/login', 'User_public\Login\Login_Controller::login_create', ['filter' => 'LoggedInNoAccessFilter']);and this is my login controller;
Code:
public function login_create()
{
$auth = new \App\Libraries\Authentication;
if ($this->request->getMethod() === 'post') {
//echo $this->input->server('REQUEST_METHOD');
//echo "here"; die();
$email = $this->request->getPost('email');
$password = $this->request->getPost('password');
// check username password and whether user bannded
if ( ($auth->login($email, $password)) && (!$this->is_banned($this->get_user_ip())) ){
$redirect_url = session('redirect_url') ?? '/';
unset($_SESSION['redirect_url']);
//print_r($this->log_useragent()); die();
return redirect()->to($redirect_url)
->with('info', 'Login Successfull');
} else {
// add entry to login_fail table
$this->login_fail_create();
if ($this->is_banned($this->get_user_ip())) {
return redirect()->back()
->with('warning', 'User Banned')
->withInput();
} else {
return redirect()->back()
->with('warning', 'Invalid Credentials or Account Not Activated')
->withInput();
}
}
} else {
// make the right menu item active
$this->data['active_menu'] = 'login_create';
return view('User_public/Login/login_create', $this->data );
}
}I have just notice that this after I post the form, this appears to be false and skips it.
Code:
if ($this->request->getMethod() === 'post') {but no idea why :-(
When I submit, it is simply redirected to / my home page.
Also, when I open the page to /login, i delete the log file... then I click the login button. I placed log_message but nothing in the log file! When I initially load the page, the log shows GET.
Code:
public function login_create()
{
log_message('error', $this->request->getMethod());RE: Error at Login - "The action you requested is not allowed - kenjis - 02-02-2023
How did you configure CSRF protection filter?
RE: Error at Login - "The action you requested is not allowed - spreaderman - 02-02-2023
Here is my filter:
Code:
namespace Config;
use CodeIgniter\Config\BaseConfig;
use CodeIgniter\Filters\CSRF;
use CodeIgniter\Filters\DebugToolbar;
use CodeIgniter\Filters\Honeypot;
class Filters extends BaseConfig
{
public $aliases = [
'csrf' => CSRF::class,
'toolbar' => DebugToolbar::class,
'honeypot' => Honeypot::class,
'login' => \App\Filters\LoginFilter::class,
'admin' => \App\Filters\AdminFilter::class,
'LoggedInNoAccessFilter' => \App\Filters\LoggedInNoAccessFilter::class,
];
public $globals = [
'before' => [
'csrf' => ['except' =>
['Api/*', 'Admin/*'],
],
],
'after' => [
'toolbar',
],
];
public $methods = [];
public $filters = [
'login' => [
'before' => [
'Tasks(/*)?',
'Admin/*',
'User_private/*',
'Profile/*'.
'profileimage/*'
]
],
'admin' => [
'before' => [
'admin/*'
]
],
'LoggedInNoAccessFilter' => [
'before' => [
'LoggedInNoAccessFilter'
]
],
];
}RE: Error at Login - "The action you requested is not allowed - kenjis - 02-02-2023
You are using form_open() and global csrf filter, so CSRF token will be set automatically.
So CSRF protection should work.
If you set the $redirect to false, you will see an Exception when CSRF check fails.
https://codeigniter4.github.io/CodeIgniter4/libraries/security.html#redirection-on-failure
RE: Error at Login - "The action you requested is not allowed - luckmoshy - 02-03-2023
of course, CI 4+ has strong CSRF capability and CSRF is not concerned with your filter. in my base opinion try to off
Code:
CSRFCode:
php spark cache: clearPHP Code:
$routes->match(['get', 'post'], 'login', 'User_public\Login\Login_Controller::login_create', ['filter' => 'LoggedInNoAccessFilter']);
another way try to check PHP v. these are among gave some headaches in the past now there is also CSRF attention needed on also CI 4.3.1 I have recently faced the same on this new version with its shield Auth
RE: Error at Login - "The action you requested is not allowed - spreaderman - 02-06-2023
Many thanks for your suggestions luckmoshy.
This worked!! :-)
php spark cache: clear
It is stange because sometimes login and sometimes now. As the above command worked, will monitor it to see when/why *if* fails again.
When you say, turn off CSRF, you mean it would be better to implement manually?
You mean I should also try by *adding* // in front of the route and not using routing, as a test?