Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming CSRF protection & The action you have requested is not allowed.
CSRF protection & The action you have requested is not allowed.
  • El Forum
    Guest
  •  
#1
04-19-2012, 02:54 AM

[eluser]cysquan[/eluser]
Hi

some of my users experienced "The action you have requested is not allowed" when they are trying to log in using IE9, I suspected that they didn't enable cookies so I guided them to enable it on their IE9. However it didn't seem to fix the problem.

So my question is what are other things that could cause this to happen? and is there anyway to permanently fix this for current project as well as future projects?

This is my current config file settings:

Quote:$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_expire_on_close'] = FALSE;
$config['sess_encrypt_cookie'] = FALSE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name'] = 'ci_sessions';
$config['sess_match_ip'] = FALSE;
$config['sess_match_useragent'] = FALSE;
$config['sess_time_to_update'] = 300;

/*
|--------------------------------------------------------------------------
| Cookie Related Variables
|--------------------------------------------------------------------------
|
| 'cookie_prefix' = Set a prefix if you need to avoid collisions
| 'cookie_domain' = Set to .your-domain.com for site-wide cookies
| 'cookie_path' = Typically will be a forward slash
| 'cookie_secure' = Cookies will only be set if a secure HTTPS connection exists.
|
*/
$config['cookie_prefix'] = "";
$config['cookie_domain'] = "";
$config['cookie_path'] = "/";
$config['cookie_secure'] = FALSE;

// Enable Global xss filtering at customer's end
if (strpos($_SERVER['REQUEST_URI'], "admin") === FALSE)
$config['global_xss_filtering'] = TRUE;
else
$config['global_xss_filtering'] = FALSE;
/*
|--------------------------------------------------------------------------
| Cross Site Request Forgery
|--------------------------------------------------------------------------
| Enables a CSRF cookie token to be set. When set to TRUE, token will be
| checked on a submitted form. If you are accepting user data, it is strongly
| recommended CSRF protection be enabled.
|
| 'csrf_token_name' = The token name
| 'csrf_cookie_name' = The cookie name
| 'csrf_expire' = The number in seconds the token should expire.
*/
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf_token_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
  • El Forum
    Guest
  •  
#2
04-19-2012, 09:54 AM

[eluser]CroNiX[/eluser]
Try removing the underscore from all cookie names.




Theme © iAndrew 2016 - Forum software by © MyBB