+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6)
+--- Forum: CodeIgniter 3.x (https://forum.codeigniter.com/forumdisplay.php?fid=17)
+--- Thread: Random 403 in Checkout with CI3 (/showthread.php?tid=90688)
Random 403 in Checkout with CI3 - z72diego - 04-18-2024
Hello everyone!
I gave up trying to solve it on my own, which is why I find myself here asking for help.
I run an online store based on CodeIgniter 3, which randomly (I think, since I was never able to reproduce the error) returns a POST 403 error specifically in the form that leads to the /checkout controller.
It is a problem, since errors are seen by users and are possible sales that may not be made.
I have my suspicions on the CSRF. I previously suspected CloudFlare, but after some tests I have ruled it out.
Any suggestions?
Thank you so much!
RE: Random 403 in Checkout with CI3 - ozornick - 04-19-2024
Yes, probably. 1. The token expires while the user is viewing the page. 2. The user opened two pages and the token was overwritten 3. Problems with the session or cookies.
RE: Random 403 in Checkout with CI3 - z72diego - 04-20-2024
Thanks for your reply!
What information could I give you to get closer to the fix?
The error happens very frequently. I doubt the problem is that the token is expiring. I would rule it out. I'm leaning more towards a session or cookie issue. Since by testing with different pages open, it is not possible to reproduce the error either.
CodeIgniter Version: 3.0.0
PHP Version: 7.4.33
These are my CSRF settings:
PHP Code:
$config['csrf_token_name'] = 'token';
$config['csrf_cookie_name'] = 'token';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = FALSE;
$config['csrf_exclude_uris'] = array();
Maybe this information will help. It is not directly related to the error 403 but maybe it is.
In the script I use some cron tasks, which I call from the scheduled tasks of the Plesk panel.
Every time they run, they produce this error in the log:
ERROR - 2024-04-20 19:59:03 --> Severity: Warning --> ini_set(): A session is active. You cannot change the session module's ini settings at this time /var/www/vhosts/mydomain/httpdocs/app/core/system/libraries/Session/Session_driver.php 188
Session config:
PHP Code:
$config['sess_driver'] = 'database';
$config['sess_cookie_name'] = 'general_sessions';
$config['sess_expiration'] = 86400;
$config['sess_save_path'] = 'general_sessions';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 86400;
$config['sess_regenerate_destroy'] = FALSE;