Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming CSRF Problem
CSRF Problem
  • El Forum
    Unregistered
  •  
#1
12-01-2011, 06:22 AM

[eluser]benjamin[/eluser]
Hi all,

Upon submitting forms, a client (Windows XP - tried on IE, Firefox and Chrome) of ours keeps getting:

Code:
An Error Was Encountered
The action you have requested is not allowed.

...indicating a CSRF problem. I have not been able to reproduce this error myself. The client's browser is configured to accept cookies ('accept all') and the system clock is set correctly. We are not relying on Ajax (just performing a plain old form submit).

config.php:

Code:
$config['csrf_token_name'] = 'csrf_pp';
$config['csrf_cookie_name'] = 'csrf_pp';
$config['csrf_expire'] = 220000;

Like I said, I haven't been able to reproduce this error - no matter how hard I try (switching browsers etc). Using CI 2.1.0
Any thoughts?
  • El Forum
    Unregistered
  •  
#2
03-01-2012, 05:30 PM

[eluser]Hallas[/eluser]
Hello,

I have the same problem on IE,Chrome,Safari but on Firefox it is working (on live server)
Locally tested on WAMP - it works in all browsers.

I assume that some server setting causing this problem maybe...
  • El Forum
    Unregistered
  •  
#3
03-01-2012, 11:36 PM

[eluser]skunkbad[/eluser]
Check the server logs for 404s and fix them.
  • El Forum
    Unregistered
  •  
#4
03-05-2012, 03:15 PM

[eluser]Narf[/eluser]
Looks like this: https://github.com/EllisLab/CodeIgniter/...nt-3403196
  • El Forum
    Unregistered
  •  
#5
03-12-2012, 05:47 PM

[eluser]Igor Couto[/eluser]
I have just cloned the latest stable branch ('2.1-stable') of CI directly from GitHub, then setup MAMP to serve the site.
I opened 'application/config/database.php' and entered my db credentials, then opened 'application/config/config.php' and entered basic setup settings. These were:

* set basepath
* set encryption key
* turn global XSS protection ON
* turn CSRF protection ON
* set cookie variables and turn cookie encryption ON

I then proceeded to do the introductory tutorial, from the User Guide. When I reach the 'Create news item' section, however, I get the same error, without fail: "the action you have requested is not allowed'.

After much googling, I found similar reports that suggested trying to play with the COOKIE VARIABLE settings in config.php. I discovered that in my case it was the 'cookie_prefix' that was the culprit. If $config['cookie_prefix'] is set to anything but empty, it triggers the error. As soon as I change it back to empty, it all works - encryption, CSRF, everything.

This may not be the *only* issue involved in this problem, considering that others have already pointed out problems with the session library, etc. - but it seems to work in my setup. I hope this may help core programmers and contributors pinpoint what the issue is! :-)
  • El Forum
    Unregistered
  •  
#6
03-13-2012, 12:17 AM

[eluser]InsiteFX[/eluser]
Eric Barnes - CSRF and Cookies
  • El Forum
    Unregistered
  •  
#7
03-13-2012, 02:40 AM

[eluser]CI_avatar[/eluser]
You must load session library. or Add session library in autoload config file.
Code:
$autoload['libraries'] = array('session');

update: CSRF still work even without loading session library

update: everything works fine after I set my $config['cookie_domain'] to empty string ""

Code:
$config['cookie_domain'] = "";




Theme © iAndrew 2016 - Forum software by © MyBB