(02-08-2018, 08:11 AM)dave friend Wrote: I suspect that session and or cookie configs are wrong. Care to share those config settings?
Researching this further, there are some threads that mention the csrf programming in ion_auth can be dropped in favour of the csrf protection built-in to CI 3.x. If I enable csrf protection using settings below I get the following error when I submit a form:
Code:
An Error Was Encountered
The action you have requested is not allowed.
My understanding is all of the checks for csrf protection are done automatically by CI. The form I tested did not use ion_auth csrf protection.
These are the config statements for csrf protection taken from application/config/config.php
PHP Code:
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array();
These are the config statements for sessions taken from application/config/config.php
PHP Code:
$config['sess_driver'] = 'database';
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = 'ci_sessions';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;
These are the config statements for cookies taken from application/config/config.php
PHP Code:
$config['cookie_prefix'] = '';
$config['cookie_domain'] = '';
$config['cookie_path'] = '/';
$config['cookie_secure'] = FALSE;
$config['cookie_httponly'] = FALSE;