Login

skunkbad · 06-19-2016, 09:30 AM

See in core/Security.php:

PHP Code:
// Regenerate on every submission?
if (config_item('csrf_regenerate'))
{
       // Nothing should last forever
       unset($_COOKIE[$this->_csrf_cookie_name]);
       $this->_csrf_hash = NULL;
} 

If the browser has not received the response from the first request, then it still has the cookie, and it still is posting the token, which means that there will be a match on the server. Normally you hear of race conditions with AJAX, but perhaps here is another race condition? Maybe somebody smart will chime in.

If you think about the way cookies work, their values are stored in the browser, and the server is sort of relying on the browser to supply the cookie contents (a good reason to encrypt cookies). It may be better if the CSRF value was in a session, because then you could store the value on the server instead of the browser. Think about a true native session where the sessions are stored in files or in the database. If the token was used up, there'd be no way to use it twice, right?

My Tokens library would also be effected by this behavior, because it too relies on plain cookies. I think it would be interesting to extend the Security library and convert CI's CSRF protection to use a value stored in a database or native session, just to see if this was truly fixed for you.

Why this only happens in Chrome for you I don't know. It's hard to imagine that Chrome is so slow, but I'm a FF user myself.

Expert Website Development - Temecula, CA
Community Auth For CodeIgniter 3