csrf token and cookie |
I am having a challenge implementing csrf protection on two projects based on CI 3.x. As far as I know, my code is not unconventional. Submission of any form results in:
PHP Code: An Error Was Encountered I have looked at numerous solutions to such a problem posted on the web
PHP Code: $config['base_url'] = 'http://betasite.lh.com/';
Since `$config['csrf_regenerate'] = TRUE;` is it necessary to set the csrf cookie in the controller for my application? Thank you for taking the time to read this.
The CSRF mechanism typically requires no intervention on your part. If you do go about messing with the csrf cookie you're likely to make matters worse.
As you know, when using PHP Code: $config['csrf_regenerate'] = TRUE; The CSRF cookie is set with a new hash value every time a POST request is made to the server. GET requests do not check the CSRF credentials and do not regenerate the CSRF hash. Why is typically underlined above? No intervention is needed if you're doing straight up http form processing ie. - the browser:
On the other hand, if you're using AJAX to make POST requests. Recall that each POST results in a new CSRF hash. If you don't supply the new hash to the currently loaded page the next POST will fail during csrf_verify(). The intervention required amounts to passing the new credentials back to the AJAX handler and incorporating that info into the next POST request. Incorporating the credentials can be done by either updating the value of the hidden CSRF field or by manipulating the data the AJAX request will send. Is there any AJAX involved in your implementation? If not and if you have not added any code trying to outsmart the CSRF implementation then it's hard to offer more advice without seeing the relevant controller and view code. |
Welcome Guest, Not a member yet? Register Sign In |