Weird issue with CSRF - Input class | Forms won't work on landing page

[eluser]hyperfire[/eluser]
Hey,

I'm sorry to bother but I'm clueless!!

If you access: http://empregosevagas.com.br and try to type anything on the two input fields, you'll get a 500 error (instead of a simple autocomplete ajax call result).

BUT, if you go inside the site, ANY PAGE, like http://empregosevagas.com.br/login AND GO BACK to the landing page (http://empregosevagas.com.br) the forms now work as expected.

The log clearly shows me different results for each given situation:

When landing on the website, trying to use that autocomplete ajax gives this on the log:

Code:

DEBUG - 2013-04-24 22:38:02 --> Config Class Initialized
DEBUG - 2013-04-24 22:38:02 --> Hooks Class Initialized
DEBUG - 2013-04-24 22:38:02 --> Utf8 Class Initialized
DEBUG - 2013-04-24 22:38:02 --> UTF-8 Support Enabled
DEBUG - 2013-04-24 22:38:02 --> URI Class Initialized
DEBUG - 2013-04-24 22:38:02 --> Router Class Initialized
DEBUG - 2013-04-24 22:38:02 --> Output Class Initialized
DEBUG - 2013-04-24 22:38:02 --> Security Class Initialized
DEBUG - 2013-04-24 22:38:02 --> Input Class Initialized

Where you can clearly see that nothing happens after the input class is loaded.
Instead of this (what a sucessfull ajax request looks like):

Code:

DEBUG - 2013-04-24 17:34:12 --> Config Class Initialized
DEBUG - 2013-04-24 17:34:12 --> Hooks Class Initialized
DEBUG - 2013-04-24 17:34:12 --> Utf8 Class Initialized
DEBUG - 2013-04-24 17:34:12 --> UTF-8 Support Enabled
DEBUG - 2013-04-24 17:34:12 --> URI Class Initialized
DEBUG - 2013-04-24 17:34:12 --> Router Class Initialized
DEBUG - 2013-04-24 17:34:12 --> Output Class Initialized
DEBUG - 2013-04-24 17:34:12 --> Security Class Initialized
DEBUG - 2013-04-24 17:34:12 --> Input Class Initialized
DEBUG - 2013-04-24 17:34:12 --> CRSF cookie Set
DEBUG - 2013-04-24 17:34:12 --> CSRF token verified
DEBUG - 2013-04-24 17:34:12 --> Global POST and COOKIE data sanitized
DEBUG - 2013-04-24 17:34:12 --> Input Custom Class Initialized
DEBUG - 2013-04-24 17:34:12 --> Language Class Initialized
DEBUG - 2013-04-24 17:34:12 --> Loader Class Initialized
DEBUG - 2013-04-24 17:34:12 --> Helper loaded: cookie_helper
DEBUG - 2013-04-24 17:34:12 --> Helper loaded: url_helper
DEBUG - 2013-04-24 17:34:12 --> Helper loaded: tracer_helper
DEBUG - 2013-04-24 17:34:12 --> Helper loaded: htmlpurifier_helper
DEBUG - 2013-04-24 17:34:12 --> Database Driver Class Initialized
DEBUG - 2013-04-24 17:34:12 --> Session Class Initialized
DEBUG - 2013-04-24 17:34:12 --> Helper loaded: string_helper
DEBUG - 2013-04-24 17:34:12 --> Encrypt Class Initialized
DEBUG - 2013-04-24 17:34:12 --> Session garbage collection performed.
DEBUG - 2013-04-24 17:34:12 --> Session routines successfully run
DEBUG - 2013-04-24 17:34:12 --> Controller Class Initialized
DEBUG - 2013-04-24 17:34:12 --> Helper loaded: form_helper
DEBUG - 2013-04-24 17:34:12 --> Model Class Initialized
DEBUG - 2013-04-24 17:34:12 --> Model Class Initialized
INFO  - 2013-04-24 17:34:12 --> # MODEL-Assets_model WAS LOADED
DEBUG - 2013-04-24 17:34:12 --> Final output sent to browser
DEBUG - 2013-04-24 17:34:12 --> Total execution time: 0.0541

The AJAX call is done passing the CSRF values as expected:

Code:

$("#qc").autocomplete({
            source: function(request, response) {
                $.ajax({ url: "<?php echo base_url(); ?>ajax/cityList",
                    data: { q: $("#qc").val(), ci_csrf_token: "<?php echo $this->security->get_csrf_hash() ?>" },
                    dataType: "json",
                    type: "POST",
                    success: function(data){
                        response(data);
                    }
                });
            }

To test the issue, I'm using firefox private browsing, so when opening a new tab, I have no session values. The session is AUTOLOADED, but according to the log, it never gets really loaded when the visitor arrives to the landing page.


Hopefully, one of you may know what's going on.
Thanks.

[eluser]TheFuzzy0ne[/eluser]
I suspect an error may be getting thrown. Make sure error reporting is enabled by typing the following at the top of your index.php:

Code:

init_set('display_errors', '1');
error_reporting(E_ALL);

[eluser]hyperfire[/eluser]
*ini_set

Nope, thank you but no errors, neither on CI log nor server log.

I've spent the whole day trying to figure out what's going on. If you visit any other page on the website, the landing page works as expected.

If first visit, you're doomed to that error 500.

All I know is that the CRSF cookie is not being written after the input class is loaded on the first visit (the page renders correctly on the first time, so a session is created, the CRSF cookie is generated and stuff, you'll only get the error if you try to use that form on the landing page).

BTW, the form is rendered using form_open/form_close so that CRSF hidden field is present.

[eluser]TheFuzzy0ne[/eluser]
Since the site is not in my native language, it's hard to know what I'm looking at. However, I can't reproduce your problem. No matter what I do, I can't get a 500 error. Have you tried clearing your cache?

I've also noticed that in your script, you only seem to hook the autocomplete functionality onto the input field if they are not empty. This causes them to never get set.

[eluser]hyperfire[/eluser]
In fact to reproduce the error is quite simple:

1) Open an incognito/private window.
2) Visit: empregosevagas.com.br
3) Write anything on any of the two input fields you see & hit the "encontrar vagas" green button
BOOM

Hit back on your browser.
1) Click on any of top right links.
2) Now click at the logo on the left (to return to the landing page)
3) Try to use those input fields again.

---------

[eluser]TheFuzzy0ne[/eluser]
[quote author="hyperfire" date="1366898421"]In fact to reproduce the error is quite simple:

1) Open an incognito/private window.
2) Visit: empregosevagas.com.br
3) Write anything on any of the two input fields you see & hit the "encontrar vagas" green button
BOOM

Hit back on your browser.
1) Click on any of top right links.
2) Now click at the logo on the left (to return to the landing page)
3) Try to use those input fields again.

---------

[/quote]

I've reproduced those steps above to the letter, and I still can't reproduce the problem with any of my browsers.

I've tried entering text each field one at a time before submitting, and also both fields before submitting. Still nothing.

All I get each time is:

Sua busca por "blah" não gerou resultados.

Auto-complete doesn't work at all, but I can't get this 500 error.

My browsers:
Firefox 20.0.1
Internet Explorer 9.0.8112.16421 (with update 9.0.15)
Chrome 26.0.1410.64 m

No matter what I did, there was no BOOM. Sorry...

I'm normally pretty good at breaking things, so I'm quite surprised. My whole philosophy is "If it ain't broke, fix it 'til it is!"

Would it be possible for you to try this on:
a) A different machine at the same location?
b) A different machine at a different location?

I was able to produce a 404 error by typing in characters that are not allowed in the URI by default (such as an apostrophe or quotes).

I've also tried to access your Web site via several different browser-based proxies, but they didn't seem to work at all, because your site required Javascript, and those proxies either don't support it, or screw the script up.

[eluser]hyperfire[/eluser]
That's so funny! It's happening to a lot of users!

The website went live a couple days ago and new visitors are getting pissed off.

I have made a video for anyone who can't reproduce the error here: http://www.youtube.com/watch?v=HLiv-qvAKqI

Again, all I know, is that the CRSF cookie is not being set, as shown in the logs on my first post.
Thanks.

[eluser]TheFuzzy0ne[/eluser]
Do you not have a development version of this Web site? If so, are you able to reproduce the problem on there?

It's difficult to debug a live site without giving information away about the structure or inner-workings of your site. If you can reproduce this in a development environment, I'd suggest looking into enabling the profiler. For one, it will allow you to see exactly what's inside the cookie, assuming you have database sessions enabled, or cookies are encrypted. Another good thing about a development environment, is that you can isolate the problem. You don't have to contend with people using the Web site whilst you try to debug.

I know you're saying that the cookie isn't being set, which is fine, but the profiler may be able to help you to determine why. Your last log entry should be something like this:

Code:

DEBUG - 2013-04-24 17:34:12 --> Final output sent to browser
DEBUG - 2013-04-24 17:34:12 --> Total execution time: 0.0541

The fact that your first log entry ends after loading the input class, suggests to me that you're either redirecting before the cookie is being set, or that there is an error in your code that's causing the script to halt prematurely. If it was the latter, I'd expect to see only part of your page being rendered, so I'm going on the assumption that the log you posted may have ended due to a redirect.

As a temporary measure, perhaps you should disable CSRF for now, until you can address the problem.

[eluser]TheFuzzy0ne[/eluser]
Also, do you have any caching enabled?

[eluser]TheFuzzy0ne[/eluser]
OK, I think I've solved it.

I was accessing the domain via http://empregosevagas.com.br , and you were accessing it via http://www.empregosevagas.com.br.

Have your .htaccess file redirect your non-www subdomain to www, and then everything should work. I think the cookie is being set, but for the wrong sub-domain.