Hey there,
I just ran into a problem (again) related to CI throwing CSRF "action is not allowed" errors whenever a user tries to login to our app, but only on certain browsers and only in production. I've been all over Google and think I even posted on this subject awhile back on this forum.
Before I forget, here are some factors that could potentially be involved, though I wouldn't understand how or why:
- our dev server is not public-facing
- our production server has SSL (HTTPS) and on our dev server we use HTTP
But my best guess is that it's cookie-related. I say this because:
- A co-worker said he was able to get around it by going to the "create account" link and then clicking "cancel" to go back to the login screen, and THEN logging in.
- I had a similar workaround, going into the address bar and pressing Enter to reload the page, then logging in a second time.
- The rare scraps of info I could get off the web pointed to cookie settings, and not just CSRF settings.
- The fact that I don't get the error on some browsers suggests it's a browser setting, like how they handle cookies.
- And last time I checked, session data is still passed to between web clients and servers via cookies.
But unfortunately, this is sort of a non-answer. It's cookie-related, okay, but what can be done about it? FYI I've stuck with the default CI cookie settings (and maybe that's my problem? lol idk). For the purpose of the demo today that triggered this massive research effort, I disabled the CSRF protection and it worked fine. But is that really the way to go? All controllers that access password-protected content make sure the user is logged in first, but that wouldn't stop a CSRF attack (for obvious reasons). It's gotten to the point where I'm considering researching another library to handle CSRF protection (and if that's the best practice, I'd appreciate any recommendations lol).
Thanks guys!
