Strange behavior of CSRF tokens with a low csrf_expire (3.1.2)

What am I looking for? Here's screenshots of the cookie's for the request to /token and the 403 that happens immediately upon using said token.

/token:



/login 403 with that token:



The params tab shows the same CSRF value that was returned in the response object from the previous call to /token.

These images don't show the csrf_cookie value - that's what you had to look for.

Found the issue. All the requests I was sending were POST. My browser cookie was not being updated because of this line:
https://github.com/bcit-ci/CodeIgniter/b...y.php#L209

Changing the /token request to GET and it all works now. Thanks!

Well, no ... actually because of a bug that was fixed in 3.1.3, which also contains a lot of other security patches. You should've updated first.

Out of curiosity, you mentioned you thought this approach was a bad idea. Do you have an alternative solution where the user will never see a 403 error unless they are doing something they shouldn't be?

Not just the approach, the entire idea is bad.

Knowingly submitting a request that you know will fail is obviously bad, but while tracking the token by expiry time would be more clean, it is still not a bullet-proof approach. In any case, whatever you do will amount to the same effect as setting a huge expiry time.

But the real problem is that you're going out of your way to disable a security feature. Often overlooked, but CSRF also prevents against replay attacks, and against someone physically impersonating careless users who leave their browsers open. What you're trying to do nullifies those protections and you'll now always refill the form with a valid token.