Welcome Guest, Not a member yet? Register   Sign In
Server config causing CSRF triggers

(09-07-2017, 06:33 AM)spjonez Wrote: Is cookie_httponly set to false? If security is your primary concern this should be set to true which will break the code you posted. Instead of reading the cookie from JS, return the new token with every AJAX call and store it in a variable for subsequent requests.

csrf_regenerate set to true will also cause 403 issues if you make concurrent AJAX calls.

cookie_httponly is currently set to false. We will later rework the code to allow httponly to be enabled.

csrf_regenerate is set to true and so far the AJAX calls haven't been doing things like giving a 200 on the first and 403 on subsequent.

Like I said in my last post, this is clearly being caused by an incompatibility between suhosin.cookie.encrypt and CI's CSRF implementation. That's not to say that your suggestions can't be the cause of problems, but in my case it's suhosin.

Messages In This Thread
SOLUTION - by objecttothis - 09-07-2017, 04:16 AM
RE: Server config causing CSRF triggers - by objecttothis - 09-07-2017, 06:47 AM

Theme © iAndrew 2016 - Forum software by © MyBB