Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums General Lounge [Solved] Any thing better than CSRF
[Solved] Any thing better than CSRF
  • Offline wolfgang1983
    Senior Member
  • ****
  • Posts: 627
    Threads: 271
    Joined: Oct 2014
    Reputation: 7
#11
12-20-2016, 01:10 AM

(12-17-2016, 02:30 AM)Diederik Wrote: I remember I ran into such an issue a while ago. Turned out I made some misrake where it ran form / csrf validation twice. So the first check regenerated the csrf key so the secind pass would always return false... Perhaps you could try finding such a case in your code. To trace this case I put some debug echo code in the core form validation/csrf files.

Hello,

I have found this which redirects back to page instead of showing CSRF error is that safe?

Found here https://github.com/benedmunds/CodeIgnite...t-60716698


PHP Code:
<?php

class MY_Security extends CI_Security {

    public function __construct()
    {
        parent::__construct();
    }

    public function csrf_show_error()
    {
        // show_error('The action you have requested is not allowed.');  // default code

        // force page "refresh" - redirect back to itself with sanitized URI for security
        // a page refresh restores the CSRF cookie to allow a subsequent login
        header('Location: ' htmlspecialchars($_SERVER['REQUEST_URI']), TRUE200);
    }


There's only one rule - please don't tell anyone to go and read the manual.  Sometimes the manual just SUCKS!
Reply
  • Offline Diederik
    Senior Member
  • ****
  • Posts: 299
    Threads: 0
    Joined: Jan 2015
    Reputation: 20
#12
12-20-2016, 03:13 AM
(This post was last modified: 12-20-2016, 05:01 AM by Diederik.)

Can you verify that the CSFR cookies are set at all in your browser? If they dont exists it could be that you have enabled secure cookies in your config file and use a unsecured connection. With this setting cookies only get placed if you use a secure connection (https://).

Code:
$config['cookie_secure'] = FALSE;

*edit: I missed you posted your config file.

And please turn on your log to see what is happening. Be default it gives you some details on when CSFR cookies are places and verified. If you need more information to debug your issue properly then extend the class and alter some functions and add more logging statements in the code.

PHP Code:
<?php

class MY_Security extends CI_Security {

    public function __construct()
    {
        parent::__construct();
    }

    /**
     * CSRF Verify DEBUG
     *
     * @return  CI_Security
     */
    public function csrf_verify()
    {

        log_message('info''CSRF csrf_verify start');

        // If it's not a POST request we will set the CSRF cookie
        if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST')
        {
            return $this->csrf_set_cookie();
        }

        // Check if URI has been whitelisted from CSRF checks
        if ($exclude_uris config_item('csrf_exclude_uris'))
        {
            $uri load_class('URI''core');
            foreach ($exclude_uris as $excluded)
            {
                if (preg_match('#^'.$excluded.'$#i'.(UTF8_ENABLED 'u' ''), $uri->uri_string()))
                {

                    log_message('info''CSRF url was excluded from CSRF check');
                    return $this;
                }
            }
        }

        // Do the tokens exist in both the _POST and _COOKIE arrays?
        if ( ! isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name])
            OR $_POST[$this->_csrf_token_name] !== $_COOKIE[$this->_csrf_cookie_name]) // Do the tokens match?
        {
            log_message('info''CSRF tokens exist in both the _POST and _COOKIE arrays');
            $this->csrf_show_error();
        }

        // We kill this since we're done and we don't want to polute the _POST array
        unset($_POST[$this->_csrf_token_name]);

        // Regenerate on every submission?
        if (config_item('csrf_regenerate'))
        {

            // Nothing should last forever
            unset($_COOKIE[$this->_csrf_cookie_name]);
            $this->_csrf_hash NULL;

            log_message('info''CSRF was regenerate (Cookie removed)');

        }

        log_message('info''CSRF executing _csrf_set_hash');
        $this->_csrf_set_hash();

        log_message('info''CSRF executing csrf_set_cookie');
        $this->csrf_set_cookie();

        log_message('info''CSRF token verified');
        return $this;
    }


Reply
  • Offline wolfgang1983
    Senior Member
  • ****
  • Posts: 627
    Threads: 271
    Joined: Oct 2014
    Reputation: 7
#13
12-22-2016, 08:21 PM
(This post was last modified: 12-22-2016, 09:23 PM by wolfgang1983.)

I think I have found solution now.

I don't get CSRF error now when I use form helper functions like example

PHP Code:
<?php echo form_open_multipart('controller/function');>

<?php echo form_input('username''username');?>

<?php echo form_close();?>

If I have input like below then the CSRF error will show


PHP Code:
<?php echo form_open_multipart('controller/function');>

<input type="text" name="username" />

<?php echo form_close();?>

So I think it's best to use all form helper functions

I can now use $config['csrf_regenerate'] = TRUE; with out error showing and Not extending Security


PHP Code:
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'my_post_key';
$config['csrf_cookie_name'] = 'cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array(); 
There's only one rule - please don't tell anyone to go and read the manual.  Sometimes the manual just SUCKS!
Reply




Theme © iAndrew 2016 - Forum software by © MyBB