Welcome Guest, Not a member yet? Register   Sign In
PyroCMS and CSRF
#1

[eluser]ashley4mj[/eluser]
Hi there, I am new to PyroCMS and relatively new to CI as well.
I was just trying to figure out how does PyroCMS handle CSRF. They do say on their website that its secure with a strong password, xss filtering and csrf protection but I am not able to locate how it handles CSRF.

In the config file the, CSRF entry is set to false so i guess its not using the CI CSRF functionality... or perhaps using it by some other way.

Can anyone throw some light on this. Thanks!
#2

[eluser]CroNiX[/eluser]
http://www.pyrocms.com/forums might be a better place to ask specific questions about PyroCMS
#3

[eluser]Phil Sturgeon[/eluser]
We wrote that line about having CSRF protection when we had it enabled by default, but obviuously have not updated it since we were forced to disable CSRF by default.

The issue is that the CI implementation of CSRF is not perfect. It got better in 2.1 and has some changes for 3.0 which will make it more usable, but it was causing more trouble than it ever solved in 2.0 - which is unfortunate!

You can enable it in any version, but in 1.3 or 2.0 don't expect to be able to integrate with PayPal at all, or open more than one tab that has a form without issues. PyroCMS 2.1 upgrades to using CodeIgniter 3.0, so it should be safe to turn it back on again.
#4

[eluser]ashley4mj[/eluser]
@phil, thanks for the info. I am working on an application with CI and I must say that pyrocms is a great app to learn many aspects of how to handle things with CI. Thanks for keeping it open source Smile

I am using CI 2.1, so do you think it would be fine to enable csrf, what problems can be faced, if not then what could be an alternative. Any ideas would be great.
Thanks..
#5

[eluser]Phil Sturgeon[/eluser]
Ive already mentioned two issues, you can't load two or more pages that contain forms as the CSRF tokens override each other, and third party sites cannot post data (PayPal IPN for example).

I'm pretty sure 3.0 has had a "whitelist" feature added, if not there is an outstanding pull request waiting for that to be added and I also believe the token overriding issues have been resolved. I can't remember offhand and I'm on a plane ;-)
#6

[eluser]ashley4mj[/eluser]
Thanks again.. I thought the issues you mentioned were for CI < 2.1

read your reply again and got it Tongue .. I can live with the two issues that you have mentioned.. for this small application at least. Will put it in place and keep testing with crossed fingers.
#7

[eluser]Future Webs[/eluser]
Is the develop branch on Git V3.0 ?

Im pretty sure Im running 2.11 and have the problems with opening new tabs.

I would rather not turn it off for now but would be good to see what differences V3.0 make as I could set it to run 2.11 for the public and V3.0 to me and a few testers to see if it gets round the issue.




Theme © iAndrew 2016 - Forum software by © MyBB