Welcome Guest, Not a member yet? Register   Sign In
CSRF makes problem on search page
#1

Hey guys,

I've created a search engine for my project and the CSRF_protection is TRUE for whole project.
At the menu bar i have login and signup button, which is needs CSRF to of the action.

I've disable the CSRF for search page because users will search for few things then maybe user wants to click on previous button (from browser) to see the previous search. If CSRF be TRUE will show the error page and i don't want it.
i disable the CSRF for only search page like this:
PHP Code:
$last_segment explode('/'$_SERVER["REQUEST_URI"]);
if (
end($last_segment) === 'results')
    { 
        
$config['csrf_protection'] = FALSE
    }else{ 
        
$config['csrf_protection'] = TRUE
    } 

now after doing this my login and signup doesn't works because the CSRF is FALSE.

who can help me in this to have search "without" CSRF and login/signup "with" CSRF ?

Thanks
Reply
#2

(This post was last modified: 12-12-2015, 04:00 AM by Happy Camper. Edit Reason: Typo )

Hello

I would say there is no need to use the code snippet you posted. Just enable CSRF protection in your config file and set 'csrf_exclude_uri' as required.

http://www.codeigniter.com/userguide3/li...rgery-csrf

Hope this helps!
Reply
#3

(This post was last modified: 12-13-2015, 05:17 AM by ardavan.)

thanks for reply,

I didn't get what i wanted, maybe i did wrongly.
here is what i did:
PHP Code:
$config['csrf_exclude_uris'] = array('http://localhost/index.php/search/results'); 
But seems CSRF still is enable for my search form!

what I'm doing is:
(page1) Search1: test one
(page2) Search2: test two

when i go back to the search1 page by clicking on the previous button on browser, now i wanna search again:
(page1)Search3: test tree
Then ill get this:
Code:
An Error Was Encountered
The action you have requested is not allowed.

what i need is the search box working without CSRF and login link works with CSRF !
Reply
#4

Hi! Why u just dont use GET for search? Then u will not have CSRF protection and problems with it Smile
Reply
#5

(12-13-2015, 05:20 AM)scion Wrote: Hi! Why u just dont use GET for search? Then u will not have CSRF protection and problems with it Smile

I'm trying to find a solution for this question not bypass the question. of course GET its okay but this is my challenge that i wanna do it Smile
Reply
#6

Any Idea?
Reply




Theme © iAndrew 2016 - Forum software by © MyBB