Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter General Help CSRF Protection problem
CSRF Protection problem
  • Offline Urastor
    Member
  • **
  • Posts: 20
    Threads: 5
    Joined: Mar 2015
    Reputation: 3
#3
03-05-2015, 04:00 PM

(03-05-2015, 02:50 PM)Avenirer Wrote: Maybe this is due to the expiration of csrf token?

I don't think so. It happens very randomly, so even if i deleted the cookies manully, it happens. I struggling with this problem for quite some time now, and normally I did ignored it, but sometimes my users need 10-15 trials to just connect, what is really annoying.

I thought it has something to do with the codeigniter version, because it began to occur on version 3.x.

Currently I'm using the relase-candidate 2. s:

Maybe it's helpful to say what I tried before:

- renaming the csrf tooken name and cookie name ( tried not to use _ or -, so for example "mycsrfcookie" )
- disabled csrf, just to test if this is really the problem: it is Big Grin
- instead of writing the form with the form-helper i tried sth. like this:
Code:
<input type="hidden" name="<?php echo $this->security->get_csrf_token_name(); ?>" value="<?php echo $this->security->get_csrf_hash();?>" />
(not working either)


For information, I don't use ajax there.

Maybe it would help if I provide a little piece of code:

login-controller-method:
Code:
       [...]
       $this->load->library( 'form_validation' );
       $this->form_validation->set_rules( $this->user->get_validation_rules() );
       
       if( TRUE === $this->form_validation->run() ) {                
           if( TRUE === $this->user->login() ) {
               redirect( base_url( 'dashboard' ) );  
           } else {
               $this->session->set_flashdata( 'login_msg', $this->lang->line( 'login_wrong_combi' ) );
               redirect( base_url( 'login' ) );
           }
       }
       [...]

user-model-method (the controller referes to by using $this->user):
Code:
   public function login()
   {
       $user = $this->db->get_where( $this->table, array( 'name' => strtolower( $this->input->post( 'user' ) ) ) )->row();
       
       if( 0 >= count( $user ) )
           return false;
       
       if( ! $this->passwordhash->CheckPassword( $this->input->post( 'password' ), $user->password ) )
           return false;      
       
       if( false === ( $role = $this->simple_auth->getSA()->getRole( $user->role ) ) )
           show_error( "User role '" . $user->role . "' is not defined!" );

       $data = array(
               'id'        => $user->id,
               'name'      => $user->name,
               'logged_in' => true,
               'role'      => $user->role
       );
       
       $this->session->set_userdata( $data );    
       return true;
   }

Just a short explanation:
If the user could be validated and verified, he's sent to the "dashboard" otherwise he's redirected to the login site again.

I thought maybe when I set the session data, it's overriding the cookie, but why should it work sometimes?
-.-.-.-.-.-.-.-.- Angel -.-.-.-.-.-.-.-.-
Reply


Messages In This Thread
CSRF Protection problem - by Urastor - 03-05-2015, 06:54 AM
RE: CSRF Protection problem - by Avenirer - 03-05-2015, 02:50 PM
RE: CSRF Protection problem - by Urastor - 03-05-2015, 04:00 PM
RE: CSRF Protection problem - by stefanv - 03-06-2015, 01:06 PM



Theme © iAndrew 2016 - Forum software by © MyBB