Welcome Guest, Not a member yet? Register   Sign In
Server config causing CSRF triggers
#10

(08-22-2017, 01:45 PM)dave friend Wrote: The CSRF token is only verified when
  1. $config['csrf_protection'] = TRUE; in config.php
  2. The server method is POST

Does your hardening turns every GET into a POST?

If the request is not POST, then the 403 errors are due to some reason other than CSRF.

When POSTing, the CSRF token_name/token_hash needs to be part of the posted data.

Thanks for the reply.  The request is indeed POST.  I looked through my configuration and I don't see anything indicating GET requests are being turned into POST.  I've attached redacted versions of my php.ini, httpd.conf and httpd-ssl.conf.  Perhaps someone can see something that I'm missing.

I wish I could view more of the output of CSRF, such as a verbose log of what exactly it's hanging up on.

Attached Files
.txt   httpd.txt (Size: 14.33 KB / Downloads: 39)
.txt   httpd-ssl.txt (Size: 2.24 KB / Downloads: 30)
.txt   php.txt (Size: 6.78 KB / Downloads: 28)
Reply


Messages In This Thread
RE: Server config causing CSRF triggers - by objecttothis - 08-23-2017, 02:48 AM
SOLUTION - by objecttothis - 09-07-2017, 04:16 AM



Theme © iAndrew 2016 - Forum software by © MyBB