Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter General Help Trouble with CSRF again (cookies?) lol
Trouble with CSRF again (cookies?) lol
  • Offline mfox
    Junior Member
  • **
  • Posts: 17
    Threads: 5
    Joined: Jun 2018
    Reputation: 0
#3
08-16-2018, 12:00 PM

Are you talking about the place in the documentation where it tells you to do this?

PHP Code:
$csrf = array(
        'name' => $this->security->get_csrf_token_name(),
        'hash' => $this->security->get_csrf_hash()
);

...

<input type="hidden" name="<?=$csrf['name'];?>" value="<?=$csrf['hash'];?>" /> 

I know we are doing this on all our forms, and until I set $config['csrf_protection'] to FALSE I know I've seen hashes in the hidden input element... I will try re-enabling it late tonight and double-check, but as far as I know that was not the issue...

And in case it would help, here's the rest of my settings
PHP Code:
$config['csrf_protection'] = FALSE;
$config['csrf_token_name'] = 'my_csrf_token_name';
$config['csrf_cookie_name'] = 'csrf';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = FALSE;
$config['csrf_exclude_uris'] = array();
...
$config['cookie_prefix']    = '';
$config['cookie_domain']    = '';
$config['cookie_path']        = '/';
$config['cookie_secure']    = FALSE;
$config['cookie_httponly']     = FALSE

A couple things to point out:
  • As you can see, the cookie settings are all still the defaults; I didn't see anything in the documentation suggesting the need to change them, and they worked in development.  In production, our IT guys have set up an automatic redirect to HTTPS, so "cookie_secure" didn't seem necessary.  Could that be it?  Like maybe you type in "ourapp.com" and it defaults to HTTP, creates a token, then redirects and the token is invalid?  One thing I'm going to test tonight is if I get the error when explicitly typing https:// (to try to rule that out).  If that's the case, maybe just setting "cookie_secure" would fix it...
  • In the actual CSRF settings, I have "csrf_regenerate" set to FALSE.  This is because of that comment in the docs about how leaving it at TRUE can cause problems with the back button and all that.
  • Also, we do have our own token name (similar to the one I posted above in length and characters used).  One guy on Stack Overflow said his name was getting changed by CI because he had dots in it, but I ruled this one out (I think). Smile
Thanks again & have an awesome weekend!
Reply


Messages In This Thread
Trouble with CSRF again (cookies?) lol - by mfox - 08-15-2018, 01:49 PM
RE: Trouble with CSRF again (cookies?) lol - by mfox - 08-16-2018, 12:00 PM



Theme © iAndrew 2016 - Forum software by © MyBB