-
GGitzOle
Junior Member
-
Posts: 11
Threads: 4
Joined: Oct 2015
Reputation:
0
Hi!
I seem to have an issue with cookies on my CodeIgniter. I'm using the latest update and have just upgraded from previous old versions so I have a feeling it might be something to do with this.
Anyway, when I set
$csrfProtection = 'cookie' in config/Security.php
and have
public $regenerate = false;
no matter what I do, the CSRF token is always regenerated upon page refresh.
However, if I set $csrfProtection = 'session' it works fine and the token stays the same.
I'm not sure what is causing this. I have a default config/Cookie.php file, with public $secure = true; turned on.
Cookies are being accepted since my user login system works fine.
Anyone got an idea of where I can look into debugging this issue?
-
kenjis
Administrator
-
Posts: 3,671
Threads: 96
Joined: Oct 2014
Reputation:
230
Can't reproduce.
PHP Code: --- a/app/Config/Filters.php
+++ b/app/Config/Filters.php
@@ -34,7 +34,7 @@ class Filters extends BaseConfig
public $globals = [
'before' => [
// 'honeypot',
- // 'csrf',
+ 'csrf',
// 'invalidchars',
],
'after' => [
--- a/app/Config/Security.php
+++ b/app/Config/Security.php
@@ -83,7 +83,7 @@ class Security extends BaseConfig
*
* @var bool
*/
- public $regenerate = true;
+ public $regenerate = false;
/**
* --------------------------------------------------------------------------
--- a/app/Controllers/Home.php
+++ b/app/Controllers/Home.php
@@ -6,6 +6,8 @@ class Home extends BaseController
{
public function index()
{
- return view('welcome_message');
+ helper('form');
+
+ return csrf_hash();
}
}
Cookie is sent in the first response once:
Code: {
"Response Cookies": {
"csrf_cookie_name": {
"expires": "2022-03-03T08:02:51.000Z",
"httpOnly": true,
"path": "/",
"samesite": "Lax",
"value": "05ebfaeb7430816961482f3c2dfae2a0"
}
}
}
And when I reload the page, my browser send the cookie:
Code: {
"Request Cookies": {
"csrf_cookie_name": "05ebfaeb7430816961482f3c2dfae2a0"
}
}
-
GGitzOle
Junior Member
-
Posts: 11
Threads: 4
Joined: Oct 2015
Reputation:
0
03-06-2022, 06:53 AM
(This post was last modified: 03-06-2022, 07:01 AM by GGitzOle.)
Thanks for your reply.
I just installed a fresh CI 4.1.9 framework and I still can't get cookies to work. Are there any default settings needed to get it work? I'm using a subdomain like dev.mysite.com but not sure if that affecs it.
PHP Code: setcookie("TestCookie", 123, time()+3600);
// Using the constructor
$cookie = new Cookie(
'remember_token',
'f699c7fd18a8e082d0228932f3acd40e1ef5ef92efcedda32842a211d62f0aa6',
[
'expires' => new DateTime('+2 hours'),
'prefix' => '__Secure-',
'path' => '/',
'domain' => '',
'secure' => true,
'httponly' => true,
'raw' => false,
'samesite' => Cookie::SAMESITE_LAX,
]
);
echo $cookie->getName(); // 'remember_token'
echo "Cookie Test";
exit();
The TestCookie works and is set using PHP's native setcookie function. Trying to use the CodeIgniter Cookie Class and it doesn't do anything.
When echo $cookie->getName() it shows "remember_token" so the data being passed seems fine.
Not sure if there is an issue on my server that is causing this conflict. I've tried looking at the system/Cookie/Cookie.php file to see how it works but I'm too inexperienced to follow the path and figure out what is causing it.
Any help on where to look next for debugging it?
-
GGitzOle
Junior Member
-
Posts: 11
Threads: 4
Joined: Oct 2015
Reputation:
0
(03-06-2022, 04:57 PM)kenjis Wrote: What do you mean by "Cookie works"?
Did you see HTTP headers?
Hi,
By works I mean I can see the TestCookie in my FireFox dev console under the Network Tab -> Cookies. The Remember_me cookie does not show up at all.
-
kenjis
Administrator
-
Posts: 3,671
Threads: 96
Joined: Oct 2014
Reputation:
230
03-07-2022, 01:27 AM
(This post was last modified: 03-07-2022, 01:28 AM by kenjis.)
(03-07-2022, 01:10 AM)GGitzOle Wrote: By works I mean I can see the TestCookie in my FireFox dev console under the Network Tab -> Cookies. The Remember_me cookie does not show up at all.
Because you just created a Cookie object, and did not send it.
PHP Code: public function index()
{
$cookie = new Cookie(
'remember_token',
'f699c7fd18a8e082d0228932f3acd40e1ef5ef92efcedda32842a211d62f0aa6',
[
'expires' => new DateTime('+2 hours'),
'prefix' => '__Secure-',
'path' => '/',
'domain' => '',
'secure' => true,
'httponly' => true,
'raw' => false,
'samesite' => Cookie::SAMESITE_LAX,
]
);
$this->response->setCookie($cookie);
}
-
GGitzOle
Junior Member
-
Posts: 11
Threads: 4
Joined: Oct 2015
Reputation:
0
(03-07-2022, 01:27 AM)kenjis Wrote: (03-07-2022, 01:10 AM)GGitzOle Wrote: By works I mean I can see the TestCookie in my FireFox dev console under the Network Tab -> Cookies. The Remember_me cookie does not show up at all.
Because you just created a Cookie object, and did not send it.
PHP Code: public function index()
{
$cookie = new Cookie(
'remember_token',
'f699c7fd18a8e082d0228932f3acd40e1ef5ef92efcedda32842a211d62f0aa6',
[
'expires' => new DateTime('+2 hours'),
'prefix' => '__Secure-',
'path' => '/',
'domain' => '',
'secure' => true,
'httponly' => true,
'raw' => false,
'samesite' => Cookie::SAMESITE_LAX,
]
);
$this->response->setCookie($cookie);
}
Thank you for this!
Looks like the issue was because I was using exit(); inside the controller method and this was stopping the Cookie from being set.
|
