Error at Login - "The action you requested is not allowed |
The problem is back so clearing the cache was not the issue, it appears.
Am not seeing this in the console; Access to XMLHttpRequest at 'https://www.example.com/?debugbar_time=1675914178' from origin 'https://example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
You can add this to your .htaccess file for CORS
Code: ## .htaccess Control For CORS Configuration What did you Try? What did you Get? What did you Expect?
Joined CodeIgniter Community 2009. ( Skype: insitfx )
InsiteFX, many thanks for your suggestion. I also saw your comments to others with similar issues. I wonder why the site works completely fine on one domain but won’t work on a new domain. Big puzzle for me. Appreciate to hear your thoughts.
I think I found the error. In the initial domain, I set env as development. On the new domain, I set it to production, however, in the production env I had commented out the csfr security.
Some times it's the way that the host has setup their servers configuration.
What did you Try? What did you Get? What did you Expect?
Joined CodeIgniter Community 2009. ( Skype: insitfx )
my final opinion make sure your env cookie are set well this include domain pass and also not forget session set not cookie
check here how do you do??? Code: cookie.prefix = '' and here Code: security.csrfProtection = 'session' as I firstly said make sure first you turn off csrf to off this will help you to trace the issue caused, because your issue looks like based on only CSRF and if you use content policy try to comment #!!! CI 4+ as i told has strong CSRF any minor mistake expect to have this (The action you requested is not allowed) especially on session and cookies whatsoever Codeigniter First, Codeigniter Then You!!
yekrinaDigitals
I very much appreciate additional comments from luckmoshy and InsiteFX.
I think I isolated the problem. It was difficult to find. Sometimes I could log in and sometime log in would not work. It seems to work when I used www.example.com but not example.com (with www removed). What is the best way to handle this? I also notied the error on my debug bar about CORS occurs in the same way, namely, when I remove www if produces an error as mentioned before. Also, luckymoshy and all, I have some questions as follows; In my dotenv file I have added; Code: app.CSRFProtection = true see above names, but when I look at my login form in which I use form_open to auto generate csrf, the name is different. It is called csrf_test_name. Code: <input type="hidden" name="csrf_test_name" value="53fd0c2c[snipsnip]10ad" />
You fix that by doing this redirect in your .htaccess file.
You will need to change domain and tld to your site. Code: # permanently redirect from www domain to non-www domain What did you Try? What did you Get? What did you Expect?
Joined CodeIgniter Community 2009. ( Skype: insitfx )
|
Welcome Guest, Not a member yet? Register Sign In |