| Strange behavior of CSRF tokens with a low csrf_expire (3.1.2) |
|
What am I looking for? Here's screenshots of the cookie's for the request to /token and the 403 that happens immediately upon using said token.
/token: ![[Image: 5QgflwF.png]](http://i.imgur.com/5QgflwF.png) /login 403 with that token: ![[Image: bMKVXm4.png]](http://i.imgur.com/bMKVXm4.png) The params tab shows the same CSRF value that was returned in the response object from the previous call to /token. Found the issue. All the requests I was sending were POST. My browser cookie was not being updated because of this line: https://github.com/bcit-ci/CodeIgniter/b...y.php#L209 Changing the /token request to GET and it all works now. Thanks! Out of curiosity, you mentioned you thought this approach was a bad idea. Do you have an alternative solution where the user will never see a 403 error unless they are doing something they shouldn't be? |
| Messages In This Thread |
|
Strange behavior of CSRF tokens with a low csrf_expire (3.1.2) - by spjonez - 01-26-2017, 01:06 PM
RE: Strange behavior of CSRF tokens with a low csrf_expire - by Narf - 01-26-2017, 01:46 PM
RE: Strange behavior of CSRF tokens with a low csrf_expire (3.1.2) - by spjonez - 01-27-2017, 06:58 AM
RE: Strange behavior of CSRF tokens with a low csrf_expire (3.1.2) - by Narf - 01-27-2017, 08:40 AM
RE: Strange behavior of CSRF tokens with a low csrf_expire (3.1.2) - by spjonez - 01-27-2017, 09:02 AM
RE: Strange behavior of CSRF tokens with a low csrf_expire (3.1.2) - by Narf - 01-27-2017, 11:11 AM
RE: Strange behavior of CSRF tokens with a low csrf_expire (3.1.2) - by spjonez - 01-27-2017, 11:42 AM
|
