crsf and ion_auth reset password

The error: "The action you have requested is not allowed." might be because you either
1) Did not use form_open() in your view or
2) Did not add a hidden field to the form with the CSRF token and hash.

form_open() automatically adds the hidden field for you.

Nothing jumps out at me as wrong in your config settings.

I developed a simple controller and view to test if sessions are working.
It's easy to install (and remove) from a project and should provide a definitive answer to the question, "Are sessions working?"
The files are on github HERE

Hope it is helpful.

Thanks for the sessions testing package.  I ran it and according to it, sessions are working.

The csrf protection is not working despite using form_open.  The hidden fields for csrf data are present in the form and the values present in $_POST at the time of form submission.

I am shifting from trying to resolve csrf as implemented by ion_auth to using csrf as implemented by CI 3.x.  I figure better to implement it site-wide and debug the challenges than getting it to work one way and then having to debug the ion_auth methods.

With `$config['csrf_regenerate'] = TRUE;` and using html valid forms, csrf protection fails.  Using the barebones forms supplied with ion_auth, csrf protection passes.  Stepping through function csrf_verify() (line 206 of Security.php in CI ver. 3.1.6) there is a discrepancy between the crsf_hash in the cookie, $this->_csrf_hash and the hash within $_POST.  It is as though somehow html valid forms are submitted twice, the second pass the new value of the csrf hash in $_POST is not updated to the cookie before the form is submitted.

If this convoluted and confusing, I apologise. Trying to get a handle on this is proving a challenge.