Quote:The issue I am having with CSRF happens on an SSL connection and a non-encrypted connection. Enabling both cookie_httponly and cookie_secure and connecting via HTTPS still produces the 403 error, but not 403 as soon as CSRF gets turned off in config.php. Since CSRF doesn't get tripped with other server implementations it tells me this is likely something to do with my FAMP stack and the way it's configured that does not play well with CSRF.
CSRF is just a client cookie + server side session variable that are compared. If you don't set cookie_secure it will work for both HTTP and HTTPS the flag only prevents HTTP requests.
Quote:My opinion about the CI implementation of CSRF was simply because it's preventing serverwide httponly via httpd.conf which is shortsighted because there are non-CI implemented apps on servers and it's nice to force XSS protection via apache without having to stick a .htaccess everywhere.
Code can set a cookie any way it wants regardless of how a server is configured. If you're changing Apache defaults your code has to handle that. Personally I wouldn't configure the serverĀ and let the application decide how it should work. As long as the correct flags are set it doesn't matter which side does it but code gives you more flexibility.
I'm not really sure what your problem is?
