Server config causing CSRF triggers |
(09-07-2017, 06:33 AM)spjonez Wrote: Is cookie_httponly set to false? If security is your primary concern this should be set to true which will break the code you posted. Instead of reading the cookie from JS, return the new token with every AJAX call and store it in a variable for subsequent requests. cookie_httponly is currently set to false. We will later rework the code to allow httponly to be enabled. csrf_regenerate is set to true and so far the AJAX calls haven't been doing things like giving a 200 on the first and 403 on subsequent. Like I said in my last post, this is clearly being caused by an incompatibility between suhosin.cookie.encrypt and CI's CSRF implementation. That's not to say that your suggestions can't be the cause of problems, but in my case it's suhosin. |
Welcome Guest, Not a member yet? Register Sign In |