(08-22-2017, 03:52 AM)objecttothis Wrote: was causing CI CSRF protection to trigger. IMO this was not a good design decision for CI to use the cookie for the CSRF token because it prevents server-wide hardening such as the above to keep JavaScript from reading the cookie. While that may not be a problem on CI code, one has to keep in mind that there are likely other apps on the server which do not check for this sort of thing. It would be better for CI to use a separate header for the CSRF token.
CI has flags for this in config.php. We use CSRF tokens with both cookie_secure and cookie_httponly set to true and have no issues with bad tokens as long as they are only being used once.
In your screenshot, check the response tab. It will show a 403 if that is indeed what's happening. If it is ensure you're only the same token once unless csrf_regenerate is set to false.
