Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming CSRF cookie name = token name!
CSRF cookie name = token name!
  • El Forum
    Guest
  •  
#1
02-04-2011, 02:34 PM

[eluser]arbme666[/eluser]
$config['csrf_token_name'] is set to $config['csrf_token_name'].

I found this is Security.php in __construct()

Code:
// Append application specific cookie prefix to token name
$this->csrf_cookie_name = (config_item('cookie_prefix')) ? config_item('cookie_prefix').$this->csrf_token_name : $this->csrf_token_name;

Should it not be...

Code:
// Append application specific cookie prefix to token name
$this->csrf_token_name = (config_item('cookie_prefix')) ? config_item('cookie_prefix').$this->csrf_token_name : $this->csrf_token_name;
  • El Forum
    Guest
  •  
#2
02-04-2011, 04:12 PM

[eluser]Eric Barnes[/eluser]
I think you are right. Will you file a report and I will get this sorted.
  • El Forum
    Guest
  •  
#3
02-05-2011, 05:50 AM

[eluser]arbme666[/eluser]
I posted it in Bug Tracker I got a replied with...

Quote:No, the token name is used for the cookie, this merely ensures that the application cookie prefix setting is being observed.

I still think it is wrong as what is the point in having $config['csrf_cookie_name'] in config.php if it is overwritten by $config['csrf_token_name'] later in Security.php.

The comment for it reads that it should be the token name that is appended not the cookie name.

Code:
// Append application specific cookie prefix to token name
$this->csrf_cookie_name = (config_item('cookie_prefix')) ? config_item('cookie_prefix').$this->csrf_token_name : $this->csrf_token_name;

Edit the Security.php file like above if you what to use $config['csrf_cookie_name'] as the actual name of the CSRF cookie.

Thanks
  • El Forum
    Guest
  •  
#4
02-05-2011, 07:50 PM

[eluser]Eric Barnes[/eluser]
I can take the blame for this one Smile I added these as config options based on a uservoice request and didn't notice that it changes later. I think the correct change on line 62 should be this instead:
Code:
$this->csrf_cookie_name = (config_item('cookie_prefix')) ? config_item('cookie_prefix').$this->csrf_cookie_name : $this->csrf_cookie_name;

If you want to test that and report back that would be great.
  • El Forum
    Guest
  •  
#5
02-06-2011, 12:55 PM

[eluser]arbme666[/eluser]
Works for me. But is the cookie prefix ment to be appended to the cookie name & token name, or just the cookie name?




Theme © iAndrew 2016 - Forum software by © MyBB