Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Development CodeIgniter 3.x CSRF Protection not being set
CSRF Protection not being set
  • Offline albertleao
    Senior Member
  • ****
  • Posts: 484
    Threads: 18
    Joined: Oct 2014
    Reputation: 22
#1
06-21-2017, 03:42 PM

Hey everyone!

Long time since I've had an issue, hope you guys can help.

I've been running codeigniter on my production servers for quite some time without any issue. Spontaneously this afternoon I started receiving errors with people not being able to post to any of my forms.

After looking into it I noticed that my csrf_cookie was not being set. Has anyone ever encountered this issue? My config['csrf_protection'] is set to true and nothing else has changed.

What's confusing me even more is that my development box which is running the exact same code as production is setting my csrf token just fine. Weird one!
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply
  • Offline skunkbad
    Senior Citizen
  • *****
  • Posts: 1,300
    Threads: 63
    Joined: Oct 2014
    Reputation: 86
#2
06-21-2017, 03:59 PM

Self hosted or w/ a hosting company? My host will make server changes and do updates that break my site every so often. I usually call them up and they fix it. Especially if you haven't made any changes and it just stopped working, I'd blame the host.
Expert Website Development - Temecula, CA
Community Auth For CodeIgniter 3
Reply
  • Offline albertleao
    Senior Member
  • ****
  • Posts: 484
    Threads: 18
    Joined: Oct 2014
    Reputation: 22
#3
06-21-2017, 08:20 PM
(This post was last modified: 06-21-2017, 08:21 PM by albertleao.)

AWS EC2 using opsworks. I'm using the exact same chef recipes as i have been for months. My app is still setting all the other cookies correctly, but it fails to set my csrf one.
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply
  • Offline albertleao
    Senior Member
  • ****
  • Posts: 484
    Threads: 18
    Joined: Oct 2014
    Reputation: 22
#4
06-21-2017, 08:49 PM
(This post was last modified: 06-21-2017, 08:53 PM by albertleao.)

Man, after hours of debugging I figured it out.

For anyone who runs into this issue in the future, here's what I went through.

I use Cloudflare as a DNS provider which routes my url to an elastic load balancer in amazon. The connection the user has to my cloudflare dns has HTTPS encryption, but somehow the connection from cloudflare to my elb to my servers lost their HTTPS. So while the user was still transmitting all data via HTTPS, the codeigniter app still saw the request as non https.

On line 267 of system/core/Security.php You'll see 


PHP Code:
if ($secure_cookie && ! is_https())
{
   return FALSE;


Thus it was returning false and not setting my csrf cookie.

Problem solved though!

Thank you skunkbad for the input though, I wasn't even thinking of something 'outside' of the app since it's all hosted on amazon. +1 rep for you
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply
  • Offline skunkbad
    Senior Citizen
  • *****
  • Posts: 1,300
    Threads: 63
    Joined: Oct 2014
    Reputation: 86
#5
06-21-2017, 10:11 PM

I've been doing this long enough to have some decent instincts on the sources of problems. Yours was a weird one for sure. Glad you figured it out!
Expert Website Development - Temecula, CA
Community Auth For CodeIgniter 3
Reply




Theme © iAndrew 2016 - Forum software by © MyBB