CodeIgniter Forums
Problme with Curl request and CSRF protection - Printable Version

+- CodeIgniter Forums (
+-- Forum: Using CodeIgniter (
+--- Forum: General Help (
+--- Thread: Problme with Curl request and CSRF protection (/showthread.php?tid=90920)

Problme with Curl request and CSRF protection - son_link - 05-22-2024

Good morning, afternoon or evening, sorry for my English in advance.

I am porting to CI4 an old web application, and I am having the following problem when calling the API using Curl from another web application, it is made with CI3.

From that other application, although with different domain is on the same server, at a given time I make a POST request through Curl, but the communication fails and in the log generated by Curl I see that the problem is by CSRF. (I change the IP and URL for security reasons)

*  Trying 127.0.01:443...
* Connected to ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=OPNsense.localdomain; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
*  start date: Feb  5 21:12:35 2024 GMT
*  expire date: Mar  8 21:12:35 2025 GMT
*  issuer: CN=OPNsense.localdomain; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x563eb1e89480)
> POST /index.php/api/koolpass.php HTTP/2
accept: */*
keep-alive: timeout=100, max=100
connection: keep-alive
content-length: 2491
content-type: application/x-www-form-urlencoded

* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 8)!
* We are completely uploaded and fine
< HTTP/2 403
* Added cookie PHPSESSID="70a3d8a88b2a1cf540d6eb984696275d" for domain, path /, expire 0
< set-cookie: PHPSESSID=70a3d8a88b2a1cf540d6eb984696275d; path=/; secure; HttpOnly
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< cache-control: no-store, no-cache, must-revalidate
< pragma: no-cache
< content-type: text/html; charset=UTF-8
< content-length: 563
< date: Wed, 22 May 2024 11:28:38 GMT
< server: OPNsense
<html><head><title>CSRF check failed</title>
              $( document ).ready(function() {
                  'beforeSend': function(xhr) {
                      xhr.setRequestHeader("X-CSRFToken", "WHdKODJaeEdpd3BlemFjQStXQmVVdz09" );
                  <p>CSRF check failed. Your form session may have expired, or you may not have cookies enabled.</p>
                  </body></html>* Connection #0 to host left intact

I have tried different configurations of CSRF, the same with Curl, but nothing, it keeps on failing and the truth is that I am already desperate.

This is the Curl code from the platform that sends the request:

PHP Code:
$ch curl_init();
$params http_build_query($params);
 if (
strtoupper($method) == 'POST'curl_setopt($chCURLOPT_POSTtrue);


$headers = [
'Keep-Alive: timeout=100, max=100',
'Connection: keep-alive'

// Verbose
$file fopen('curl.txt''w+');

 if (
curl_setopt($chCURLOPT_HTTPHEADER, array(
'Authorization: ' $apiKey

$resp curl_exec($ch);

And this is how I have configured the filter for CSRF, I even tried commenting it out.

PHP Code:
public array $globals = [
        'before' => [
            // 'honeypot',
            'csrf' => ['except' => ['api/*''index.php/api/*']],
            // 'invalidchars',
        'after' => [
            // 'honeypot',
            // 'secureheaders',

Thanks in advance

RE: Problme with Curl request and CSRF protection - sherriprado - 06-10-2024

Hello, I think you should make sure that the request from the other application includes the CSRF token in the appropriate header or form field. In your Curl code, you're not explicitly setting the CSRF token. You can retrieve the CSRF token from the CI4 application and include it in your Curl request. For example, you can add the following line before making the Curl request:

curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'X-CSRFToken: ' . csrf_hash()

This assumes that you're using the default 'X-CSRFToken' header name for CSRF tokens in your CI4 application. Adjust the header name if you're using a different one.

RE: Problme with Curl request and CSRF protection - ozornick - 06-10-2024

It is not possible to get the correct CSRF for another domain/folder with the project. 

The except filter should have worked. Have you installed it on the requested domain?