crsf and ion_auth reset password |
(02-08-2018, 11:02 AM)dave friend Wrote: The error: "The action you have requested is not allowed." might be because you either Thanks for the sessions testing package. I ran it and according to it, sessions are working. The csrf protection is not working despite using form_open. The hidden fields for csrf data are present in the form and the values present in $_POST at the time of form submission. I am shifting from trying to resolve csrf as implemented by ion_auth to using csrf as implemented by CI 3.x. I figure better to implement it site-wide and debug the challenges than getting it to work one way and then having to debug the ion_auth methods. With `$config['csrf_regenerate'] = TRUE;` and using html valid forms, csrf protection fails. Using the barebones forms supplied with ion_auth, csrf protection passes. Stepping through function csrf_verify() (line 206 of Security.php in CI ver. 3.1.6) there is a discrepancy between the crsf_hash in the cookie, $this->_csrf_hash and the hash within $_POST. It is as though somehow html valid forms are submitted twice, the second pass the new value of the csrf hash in $_POST is not updated to the cookie before the form is submitted. If this convoluted and confusing, I apologise. Trying to get a handle on this is proving a challenge. |
Messages In This Thread |
crsf and ion_auth reset password - by dwlamb - 02-07-2018, 01:29 PM
RE: crsf and ion_auth reset password - by ChicagoPhil - 02-07-2018, 02:02 PM
RE: crsf and ion_auth reset password - by dwlamb - 02-07-2018, 10:43 PM
RE: crsf and ion_auth reset password - by ChicagoPhil - 02-08-2018, 12:43 AM
RE: crsf and ion_auth reset password - by dwlamb - 02-08-2018, 08:10 AM
RE: crsf and ion_auth reset password - by dave friend - 02-08-2018, 08:11 AM
RE: crsf and ion_auth reset password - by dwlamb - 02-08-2018, 10:27 AM
RE: crsf and ion_auth reset password - by dave friend - 02-08-2018, 11:02 AM
RE: crsf and ion_auth reset password - by dwlamb - 02-12-2018, 04:20 PM
|