Server config causing CSRF triggers |
FreeBSD 11.0
Apache 2.4 MySQL 5.7 PHP 5.6.31 I've recently built, configured and security hardened this server and I installed opensourcepos which is a project I am contributing to. With CSRF disabled I have no problems. When enabled I initially could not login to the app. I found that the line Code: Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure was causing CI CSRF protection to trigger. IMO this was not a good design decision for CI to use the cookie for the CSRF token because it prevents server-wide hardening such as the above to keep JavaScript from reading the cookie. While that may not be a problem on CI code, one has to keep in mind that there are likely other apps on the server which do not check for this sort of thing. It would be better for CI to use a separate header for the CSRF token. Alas, after commenting that line out I thought my problems were over because I could now log in, however I found that I was getting a HTTP 403 response when submitting changes in a form. Like before, I believe it's CSRF triggering because when turned off in config.php the form submits fine. I've attached a screenshot of the 403 response. So far I've done the following to try to troubleshoot what was causing the problem: - Set mod_security to DetectionOnly - Set suhosin to SimulationMode in php.ini - Commented out mod_evasive - Commented out the following lines in my httpd.conf Code: #Security Directives But I'm getting the same behavior. I've turned on logs in config.php and here is what it generates for the submit Code: INFO - 2017-08-22 14:39:22 --> Config Class Initialized No errors are generated by PHP, Suhosin, MySQL or mod_security... presumably because the CI CSRF kicks in with a 403 before that can happen. |
Welcome Guest, Not a member yet? Register Sign In |