Welcome Guest, Not a member yet? Register   Sign In
Server config causing CSRF triggers
#6

@spjonez I agree with you but the app is used by a lot of people and not all of them have SSL certificates for their servers. Besides that CI currently supports HTTP/1.1 which does not require HTTPS.

You are missing my point:
- The issue I am having with CSRF happens on an SSL connection and a non-encrypted connection. Enabling both cookie_httponly and cookie_secure and connecting via HTTPS still produces the 403 error, but not 403 as soon as CSRF gets turned off in config.php. Since CSRF doesn't get tripped with other server implementations it tells me this is likely something to do with my FAMP stack and the way it's configured that does not play well with CSRF.
- My opinion about the CI implementation of CSRF was simply because it's preventing serverwide httponly via httpd.conf which is shortsighted because there are non-CI implemented apps on servers and it's nice to force XSS protection via apache without having to stick a .htaccess everywhere.
Reply


Messages In This Thread
RE: Server config causing CSRF triggers - by objecttothis - 08-22-2017, 11:28 AM
SOLUTION - by objecttothis - 09-07-2017, 04:16 AM



Theme © iAndrew 2016 - Forum software by © MyBB