Welcome Guest, Not a member yet? Register   Sign In
Error at Login - "The action you requested is not allowed
#1

(This post was last modified: 01-31-2023, 08:53 PM by spreaderman.)

I recently copied my website from one domain to another. Unfortunatley, login does work anymore. In the session dir, I can see this the ci_session txt file:

__ci_last_regenerate|i:[snip number];error|s:40:"The action you requested is not allowed.";__ci_vars|a:1:{s:5:"error";s:3:"new";}

Not sure how to debug this or the meaning of the error message. Any pointers appreciated.

When I moved over the site, I did delete all session ids.

Running https only on both sites.
Reply
#2

(This post was last modified: 01-31-2023, 09:27 PM by kenjis.)

It is the error message when CSRF token check fails.
See https://codeigniter4.github.io/CodeIgnit...rgery-csrf
Reply
#3

(01-31-2023, 09:16 PM)kenjis Wrote: It is the error message when CSRF token check fails.
See https://codeigniter4.github.io/CodeIgnit...rgery-csrf

Hi Kenjis, many thanks for that link. I have read through it again. I cannot find my error. The code is a copy from another website that works. I merely changed the domain. Both use ssl, env changed domains, deleted all session just to be safe. I checked that the forms on both sites are identical and that the token is included in the form in both sites. I only except an Api and Admin route per below. Files permissions and ownership checked and are identical (drwxr-xr-x 2 www-data www-data 1327104 Feb 2 04:29 session). Any think I am missing. Much appreciate your feedback.

public $globals = [
'before' => [
'csrf' => ['except' =>
['Api/*', 'Admin/*'],
],
],
'after' => [
'toolbar',
],
];
Reply
#4

When you try to login, what happens?

Unfortunately I cannot see your screen, so
"login does work anymore" shows nothing to me.
Reply
#5

(This post was last modified: 02-02-2023, 09:37 PM by spreaderman.)

(02-02-2023, 03:20 AM)kenjis Wrote: When you try to login, what happens?

Unfortunately I cannot see your screen, so
"login does work anymore" shows nothing to me.

Here is my login form;

Code:
<?= $this->extend('__templates/user_public/bootswatch'); ?>

<?= $this->section('title'); ?>Login<?= $this->endSection(); ?>

<?= $this->section('content'); ?>

<div class="container">
      
    <?php
    $form = array(
        'class'       => 'form-control border-0',
    );

    $email = array(
        'name'        => 'email',
        'id'          => 'floatingInput',
        'value'       => old('email'),
        'style'       => '',
        'class'       => 'form-control',
        'placeholder' => '[email protected]'
    );

    $password = array(
        'name'        => 'password',
        'id'          => 'floatingInput',
        'type'      => 'password',
        'style'       => '',
        'class'       => 'form-control',
    );
    ?>
    
    <div class="form-group">
        <?= form_open('/login', $form); ?>
        
        <!-- show errors -->
        <?php echo bootstrapAlert(); ?>
        
         <h1>Login</h1>
            <label class="form-label mt-4">Please log in</label>
            <div class="form-floating col-md-5  mt-4">
                <?= form_input($email); ?>
                <label for="floatingInput">Email Address</label>
            </div>
            <div class="form-floating col-md-5 mt-4">
                 <?= form_password($password); ?>
                <label for="floatingPassword">Password</label>
            </div>
            <div class="lfloat  mt-4">
                <button class="btn btn-primary">Login</button> <a href="/password/forgot">Forgot Password?</a>
            </div>
        </form>
     </div>
    
</div> <!-- end container -->

<?= $this->endSection(); ?>

This is my route;

Code:
$routes->match(['get', 'post'], '/login',  'User_public\Login\Login_Controller::login_create',   ['filter' => 'LoggedInNoAccessFilter']);

and this is my login controller;

Code:
public function login_create()
    {
        $auth = new \App\Libraries\Authentication;
        if ($this->request->getMethod() === 'post') {
            //echo $this->input->server('REQUEST_METHOD');
            //echo "here"; die();
            $email        = $this->request->getPost('email');
            $password    = $this->request->getPost('password');
            // check username password and whether user bannded
            if ( ($auth->login($email, $password)) && (!$this->is_banned($this->get_user_ip())) ){
                $redirect_url = session('redirect_url') ?? '/';
                unset($_SESSION['redirect_url']);
                //print_r($this->log_useragent()); die();
                return redirect()->to($redirect_url)
                                ->with('info', 'Login Successfull');
            } else {
                // add entry to login_fail table
                $this->login_fail_create();
                if ($this->is_banned($this->get_user_ip())) {
                    return redirect()->back()
                             ->with('warning', 'User Banned')
                             ->withInput();
                } else {
                    return redirect()->back()
                             ->with('warning', 'Invalid Credentials or Account Not Activated')
                             ->withInput();
                }
            }
        } else {
            // make the right menu item active
            $this->data['active_menu']  = 'login_create';
            return view('User_public/Login/login_create', $this->data    );
        }
    }

I have just notice that this after I post the form, this appears to be false and skips it.

Code:
if ($this->request->getMethod() === 'post') {

but no idea why :-(

When I submit, it is simply redirected to / my home page.

Also, when I open the page to /login, i delete the log file... then I click the login button. I placed log_message but nothing in the log file! When I initially load the page, the log shows GET.

Code:
    public function login_create()
    {
        log_message('error', $this->request->getMethod());
Reply
#6

How did you configure CSRF protection filter?
Reply
#7

Here is my filter:

Code:
namespace Config;
use CodeIgniter\Config\BaseConfig;
use CodeIgniter\Filters\CSRF;
use CodeIgniter\Filters\DebugToolbar;
use CodeIgniter\Filters\Honeypot;

class Filters extends BaseConfig
{
    public $aliases = [
        'csrf'      => CSRF::class,
        'toolbar'    => DebugToolbar::class,
        'honeypot'    => Honeypot::class,
        'login'     => \App\Filters\LoginFilter::class,
        'admin'     => \App\Filters\AdminFilter::class,
        'LoggedInNoAccessFilter'     => \App\Filters\LoggedInNoAccessFilter::class,
    ];        
    public $globals = [
        'before' => [
             'csrf' => ['except' =>
                ['Api/*', 'Admin/*'],
            ],
            ],
            'after'  => [
                'toolbar',
            ],
    ];

    public $methods = [];

    public $filters = [
            'login' => [
                'before' => [
                    'Tasks(/*)?',
                    'Admin/*',
                    'User_private/*',
                    'Profile/*'.
                    'profileimage/*'
                ]
            ],
            
            'admin' => [
                'before' => [
                    'admin/*'
                ]
            ],
            
            'LoggedInNoAccessFilter' => [
                'before' => [
                    'LoggedInNoAccessFilter'
                ]
            ],
        ];
}
Reply
#8

You are using form_open() and global csrf filter, so CSRF token will be set automatically.
So CSRF protection should work.

If you set the $redirect to false, you will see an Exception when CSRF check fails.
https://codeigniter4.github.io/CodeIgnit...on-failure
Reply
#9

(This post was last modified: 02-03-2023, 12:22 AM by luckmoshy.)

of course, CI 4+ has strong CSRF capability and CSRF is not concerned with your filter. in my base opinion try to off
Code:
CSRF
then try it if it is working also try to clear the cache
Code:
php spark cache: clear
in your new server sometimes server may take a while to accept a new cache. another  solution try to remove //in front of
PHP Code:
$routes->match(['get''post'], 'login',  'User_public\Login\Login_Controller::login_create',  ['filter' => 'LoggedInNoAccessFilter']); 

another way try to check PHP  v. these are among gave some headaches in the past now there is also CSRF attention needed on also CI 4.3.1 I have recently faced the same on this new version  with its shield  Auth
Codeigniter First, Codeigniter Then You!!
yekrinaDigitals

Reply
#10

Many thanks for your suggestions luckmoshy.

This worked!! :-)
php spark cache: clear

It is stange because sometimes login and sometimes now. As the above command worked, will monitor it to see when/why *if* fails again.

When you say, turn off CSRF, you mean it would be better to implement manually?

You mean I should also try by *adding* // in front of the route and not using routing, as a test?
Reply




Theme © iAndrew 2016 - Forum software by © MyBB