Welcome Guest, Not a member yet? Register   Sign In
[Solved] Any thing better than CSRF
#12

(This post was last modified: 12-20-2016, 05:01 AM by Diederik.)

Can you verify that the CSFR cookies are set at all in your browser? If they dont exists it could be that you have enabled secure cookies in your config file and use a unsecured connection. With this setting cookies only get placed if you use a secure connection (https://).

Code:
$config['cookie_secure'] = FALSE;

*edit: I missed you posted your config file.

And please turn on your log to see what is happening. Be default it gives you some details on when CSFR cookies are places and verified. If you need more information to debug your issue properly then extend the class and alter some functions and add more logging statements in the code.

PHP Code:
<?php

class MY_Security extends CI_Security {

 
   public function __construct()
 
   {
 
       parent::__construct();
 
   }

 
   /**
     * CSRF Verify DEBUG
     *
     * @return  CI_Security
     */
 
   public function csrf_verify()
 
   {

 
       log_message('info''CSRF csrf_verify start');

 
       // If it's not a POST request we will set the CSRF cookie
 
       if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST')
 
       {
 
           return $this->csrf_set_cookie();
 
       }

 
       // Check if URI has been whitelisted from CSRF checks
 
       if ($exclude_uris config_item('csrf_exclude_uris'))
 
       {
 
           $uri load_class('URI''core');
 
           foreach ($exclude_uris as $excluded)
 
           {
 
               if (preg_match('#^'.$excluded.'$#i'.(UTF8_ENABLED 'u' ''), $uri->uri_string()))
 
               {

 
                   log_message('info''CSRF url was excluded from CSRF check');
 
                   return $this;
 
               }
 
           }
 
       }

 
       // Do the tokens exist in both the _POST and _COOKIE arrays?
 
       if ( ! isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name])
 
           OR $_POST[$this->_csrf_token_name] !== $_COOKIE[$this->_csrf_cookie_name]) // Do the tokens match?
 
       {
 
           log_message('info''CSRF tokens exist in both the _POST and _COOKIE arrays');
 
           $this->csrf_show_error();
 
       }

 
       // We kill this since we're done and we don't want to polute the _POST array
 
       unset($_POST[$this->_csrf_token_name]);

 
       // Regenerate on every submission?
 
       if (config_item('csrf_regenerate'))
 
       {

 
           // Nothing should last forever
 
           unset($_COOKIE[$this->_csrf_cookie_name]);
 
           $this->_csrf_hash NULL;

 
           log_message('info''CSRF was regenerate (Cookie removed)');

 
       }

 
       log_message('info''CSRF executing _csrf_set_hash');
 
       $this->_csrf_set_hash();

 
       log_message('info''CSRF executing csrf_set_cookie');
 
       $this->csrf_set_cookie();

 
       log_message('info''CSRF token verified');
 
       return $this;
 
   }


Reply


Messages In This Thread
RE: Any thing better than CSRF - by PaulD - 12-16-2016, 11:44 AM
RE: Any thing better than CSRF - by wolfgang1983 - 12-16-2016, 01:33 PM
RE: Any thing better than CSRF - by PaulD - 12-16-2016, 03:57 PM
RE: Any thing better than CSRF - by wolfgang1983 - 12-16-2016, 09:11 PM
RE: Any thing better than CSRF - by Diederik - 12-17-2016, 02:30 AM
RE: Any thing better than CSRF - by wolfgang1983 - 12-17-2016, 03:24 AM
RE: Any thing better than CSRF - by wolfgang1983 - 12-20-2016, 01:10 AM
RE: Any thing better than CSRF - by skunkbad - 12-17-2016, 03:23 PM
RE: Any thing better than CSRF - by wolfgang1983 - 12-17-2016, 03:40 PM
RE: Any thing better than CSRF - by kenjis - 12-17-2016, 05:12 PM
RE: Any thing better than CSRF - by Diederik - 12-20-2016, 03:13 AM
RE: Any thing better than CSRF - by wolfgang1983 - 12-22-2016, 08:21 PM



Theme © iAndrew 2016 - Forum software by © MyBB