Welcome Guest, Not a member yet? Register   Sign In
Error at Login - "The action you requested is not allowed

(This post was last modified: 02-08-2023, 08:44 PM by spreaderman.)

The problem is back so clearing the cache was not the issue, it appears.

Am not seeing this in the console;

Access to XMLHttpRequest at 'https://www.example.com/?debugbar_time=1675914178' from origin 'https://example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

You can add this to your .htaccess file for CORS
## .htaccess Control For CORS Configuration

# Add Font Awesome Font Types
AddType application/vnd.ms-fontobject .eot
AddType application/x-font-ttf        .ttf
AddType application/x-font-opentype  .otf
AddType application/font-woff        .woff
AddType application/font-woff2        .woff2

<IfModule mod_headers.c>
        <FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|svg|svgz|jpg|png|ico|font.css|css|js)$">
            ## un-remark this one for all access and remark out the one below it
            ## very un-secure!!!
            #Header set Access-Control-Allow-Origin "*"
            ## Change this to your local host url. and https or http
            Header add Access-Control-Allow-Origin: "https://yoursite.com"
            Header add Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
            Header add Access-Control-Allow-Headers: "Upgrade-Insecure-Requests"

# Remove index.php from URL
RewriteCond %{HTTP:X-Requested-With}    !^XMLHttpRequest$
RewriteCond %{THE_REQUEST}              ^[^/]*/index\.php [NC]
RewriteRule ^index\.php(.*)$            $1 [R=301,NS,L]
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )

InsiteFX, many thanks for your suggestion. I also saw your comments to others with similar issues. I wonder why the site works completely fine on one domain but won’t work on a new domain. Big puzzle for me. Appreciate to hear your thoughts.

I think I found the error. In the initial domain, I set env as development. On the new domain, I set it to production, however, in the production env I had commented out the csfr security. Sad

Some times it's the way that the host has setup their servers configuration.
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )

(This post was last modified: 02-11-2023, 03:37 AM by luckmoshy.)

my final opinion make sure your env cookie are set well this include domain pass and also not forget session set not cookie
check here how do you do???
cookie.prefix = ''
  cookie.expires = 300 //for testing!!!
  cookie.path = '/'
  cookie.domain = 'your domain.com'
  cookie.secure = true
  cookie.httponly = false
  cookie.samesite = 'Lax'
  cookie.raw = false

and here
security.csrfProtection = 'session'
  security.tokenRandomize = true
  security.tokenName = 'csrf_token_name'
  security.headerName = 'X-CSRF-TOKEN'
  security.cookieName = 'csrf_cookie_name'
  security.expires = 7200
  security.regenerate = true
  security.redirect = true
  security.samesite = 'Lax'

as I firstly said make sure first you turn off csrf to off this will help you to trace the issue caused, because your issue looks like based on only CSRF and if you use content policy try to comment #!!!

CI 4+ as i told has strong CSRF any minor mistake expect to have this (The action you requested is not allowed) especially on session and cookies whatsoever
Codeigniter First, Codeigniter Then You!!


(This post was last modified: 02-13-2023, 03:52 AM by spreaderman.)

I very much appreciate additional comments from luckmoshy and InsiteFX.

I think I isolated the problem.  It was difficult to find.  Sometimes I could log in and sometime log in would not work.  It seems to work when I used www.example.com but not example.com (with www removed).  What is the best way to handle this?  I also notied the error on my debug bar about CORS occurs in the same way, namely, when I remove www if produces an error as mentioned before.

Also, luckymoshy and all, I have some questions as follows;

In my dotenv file I have added;

app.CSRFProtection  = true
app.CSRFTokenName  = 'csrf_example_token'
app.CSRFCookieName  = 'csrf_example_cookie'
app.CSRFExpire      = 7200
app.CSRFRegenerate  = true
app.CSRFExcludeURIs = []
app.CSRFSameSite    = 'Lax'

see above names, but when I look at my login form in which I use form_open to auto generate csrf, the name is different.  It is called csrf_test_name. 

<input type="hidden" name="csrf_test_name" value="53fd0c2c[snipsnip]10ad" />

You fix that by doing this redirect in your .htaccess file.
You will need to change domain and tld to your site.
# permanently redirect from www domain to non-www domain
RewriteEngine on
Options +FollowSymLinks
RewriteCond %{HTTP_HOST} ^www\.domain\.tld$ [NC]
RewriteRule (.*) http://domain.tld/$1 [R=301,L]
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )

Theme © iAndrew 2016 - Forum software by © MyBB