Login

DeiForm · 08-30-2017, 10:33 PM

Hello,
csrf is useless. If you set up curl request where you set up cookie and post param with same values you can load the page witohout problems even if you should get: the action you requested is not allowed.
curl:

Code:
$poststring = 'csrf_test_name=123';

        $ch = curl_init ($url);

        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);

        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);

        curl_setopt ($ch, CURLOPT_POST, true);

        curl_setopt ($ch, CURLOPT_POSTFIELDS, $poststring);

        curl_setopt($ch, CURLINFO_HEADER_OUT, true);

        curl_setopt($ch, CURLOPT_HTTPHEADER, array("Cookie: csrf_cookie_name=123"));

        $output = curl_exec ($ch);

        curl_close($ch);

Made also issue at github: https://github.com/bcit-ci/CodeIgniter/issues/5244