Welcome Guest, Not a member yet? Register   Sign In
Community Auth Token Name
#1

I am using Codeigniter 3 and Community Auth. My login was working fine until I recently turned off CI CSRF due to AJAX issues and I am now using the tokens helper.

All of my JQuery code references a specific token name, let's call it my_token. So I want to continue to use this token name versus Community Auth's default token name "token". I am using form_open() on my login form and I added a hidden element for my_token and I changed the Community Auth token name in /application/third_party/community_auth/config/authentication.php to "my_token".

When I try to log in nothing happens. When I check the log file, the submitted form token is not in the jar. I've tried several changes to get this to work, however it only works if I leave the token name as "token". Am I missing some other setting? My site is live so any help would be greatly appreciated.

DEBUG - 2018-01-18 01:57:52 -->
string = myusername
password = abc123
form_token = e03cc701
token_jar = {"0":"f0c0d018","1":"e1610819","2":"8e9a3ac9","3":"3fa0bedb","4":"35144229","5":"579e4e9d","6":"8097b9a7","7":"3330737d","8":"34814180","9":"2835bd8c","11":"7d232b67"}
Reply
#2

I think this needs a look, but if I recall correctly, the login token is different because if it was the same as your other forms CA might think you other form post is a login attempt. Give me a couple days to look at this, and see what I can do.
Reply
#3

(01-18-2018, 12:27 AM)skunkbad Wrote: I think this needs a look, but if I recall correctly, the login token is different because if it was the same as your other forms CA might think you other form post is a login attempt. Give me a couple days to look at this, and see what I can do.

OK, thank you. Based on your comments, I think in the mean time that I will change the name back to token and modify the Auth form helper to add hidden element my_token as well, when using form_open().
Reply
#4

Modifying /community_auth/helpers/MY_form_helper.php for now has resolved the issue.

I added $form .= '<input type="hidden" name="my_token" value="'.html_escape($value).'" style="display:none;" />'."\n"; right before return $form;.

If this needs to be a permanent solution, I will add a custom CI config variable for the name versus hard coding.
Reply
#5

(01-18-2018, 08:14 AM)reesethebeast Wrote: Modifying /community_auth/helpers/MY_form_helper.php for now has resolved the issue.

I added $form .= '<input type="hidden" name="my_token" value="'.html_escape($value).'" style="display:none;" />'."\n"; right before   return $form;.

If this needs to be a permanent solution, I will add a custom CI config variable for the name versus hard coding.

I'd still like to take a look at CA and see what needs to be done. I just need to make the time to do it. I can't say what the solution is, but maybe CA should not allow for the login token to be renamed as a config var. As the name is hard coded into the Authentication library, its that way because the Authentication library needs a unique name. I think what you're asking is, do we need two token names ... and the answer may be yes.
Reply
#6

(01-18-2018, 09:04 AM)skunkbad Wrote:
(01-18-2018, 08:14 AM)reesethebeast Wrote: Modifying /community_auth/helpers/MY_form_helper.php for now has resolved the issue.

I added $form .= '<input type="hidden" name="my_token" value="'.html_escape($value).'" style="display:none;" />'."\n"; right before   return $form;.

If this needs to be a permanent solution, I will add a custom CI config variable for the name versus hard coding.

I'd still like to take a look at CA and see what needs to be done. I just need to make the time to do it. I can't say what the solution is, but maybe CA should not allow for the login token to be renamed as a config var. As the name is hard coded into the Authentication library, its that way because the Authentication library needs a unique name. I think what you're asking is, do we need two token names ... and the answer may be yes.

Thanks for the reply. Yes, I think 2 tokens are needed or at least 2 names. This solution is working for now and I will await the results of your research.
Reply
#7

(This post was last modified: 01-18-2018, 09:46 AM by reesethebeast.)

(01-18-2018, 09:29 AM)reesethebeast Wrote:
(01-18-2018, 09:04 AM)skunkbad Wrote:
(01-18-2018, 08:14 AM)reesethebeast Wrote: Modifying /community_auth/helpers/MY_form_helper.php for now has resolved the issue.

I added $form .= '<input type="hidden" name="my_token" value="'.html_escape($value).'" style="display:none;" />'."\n"; right before   return $form;.

If this needs to be a permanent solution, I will add a custom CI config variable for the name versus hard coding.

I'd still like to take a look at CA and see what needs to be done. I just need to make the time to do it. I can't say what the solution is, but maybe CA should not allow for the login token to be renamed as a config var. As the name is hard coded into the Authentication library, its that way because the Authentication library needs a unique name. I think what you're asking is, do we need two token names ... and the answer may be yes.

Thanks for the reply. Yes, I think 2 tokens are needed or at least 2 names. This solution is working for now and I will await the results of your research.

Sorry, I spoke too soon. It looks like any AJAX request is now killing my session/logging me out.
Reply
#8

I made two commits this morning:

https://bitbucket.org/skunkbad/community...ommits/all

These commits have not been merged into the master branch, but you could test them out and tell me what your experience is.
Reply
#9

Thanks. I will implement these changes and test.
Reply
#10

(This post was last modified: 01-18-2018, 11:19 PM by reesethebeast.)

Skunkbad,

After some trial and error, I just decided to change all of my AJAX code to use token versus my_token. This seems to work, for the first submission.

In a previous forum post of mine you stated "Since using a token removes it from the array of tokens, if you are using AJAX then you need to pass back a new token, and apply it to the hidden form element. You get a new token with $this->tokens->token();".

I have a table of records and a delete button on each row. As the first deletion works and the subsequent clicks fails, this means the token was removed from the jar. So based on your statement, I should pass back a new token from the AJAX call in my JSON response and update (via JQuery) the current hidden form element to contain the new token value, correct?
Reply




Theme © iAndrew 2016 - Forum software by © MyBB