Welcome Guest, Not a member yet? Register   Sign In
Csrf not working sometimes
#1

(This post was last modified: 03-16-2023, 08:42 AM by Uhrien.)

Hello, I'm new to codeigniter 4 but i was using codeigniter 3 before for 1 year more or less.
I'm facing an issue that i don't understand:
Csrf security sometimes is not working even with the hidden input with csrf name and hash.

In each of my forms i've added input in this way <input type="hidden" name="<?= csrf_token() ?>" value="<?= csrf_hash() ?>" /> like documentation says. 
The post were correctly submitted and the security seems to work but sometimes, with any form it throws me the security exception.
It happens randomly like the csrf token was not updated, even with non ajax forms.

Those are my csrf settings:
<?php

namespace Config;

use CodeIgniter\Config\BaseConfig;

class Security extends BaseConfig
{
    /**
    * --------------------------------------------------------------------------
    * CSRF Protection Method
    * --------------------------------------------------------------------------
    *
    * Protection Method for Cross Site Request Forgery protection.
    *
    * @var string 'cookie' or 'session'
    */
    public string $csrfProtection = 'session';

    /**
    * --------------------------------------------------------------------------
    * CSRF Token Randomization
    * --------------------------------------------------------------------------
    *
    * Randomize the CSRF Token for added security.
    */
    public bool $tokenRandomize = true;

    /**
    * --------------------------------------------------------------------------
    * CSRF Token Name
    * --------------------------------------------------------------------------
    *
    * Token name for Cross Site Request Forgery protection.
    */
    public string $tokenName = 'ica_token';

    /**
    * --------------------------------------------------------------------------
    * CSRF Header Name
    * --------------------------------------------------------------------------
    *
    * Header name for Cross Site Request Forgery protection.
    */
    public string $headerName = 'ICA_X-CSRF-TOKEN';

    /**
    * --------------------------------------------------------------------------
    * CSRF Cookie Name
    * --------------------------------------------------------------------------
    *
    * Cookie name for Cross Site Request Forgery protection.
    */
    public string $cookieName = 'ica_cookie';

    /**
    * --------------------------------------------------------------------------
    * CSRF Expires
    * --------------------------------------------------------------------------
    *
    * Expiration time for Cross Site Request Forgery protection cookie.
    *
    * Defaults to two hours (in seconds).
    */
    public int $expires = 7200;

    /**
    * --------------------------------------------------------------------------
    * CSRF Regenerate
    * --------------------------------------------------------------------------
    *
    * Regenerate CSRF Token on every submission.
    */
    public bool $regenerate = true;

    /**
    * --------------------------------------------------------------------------
    * CSRF Redirect
    * --------------------------------------------------------------------------
    *
    * Redirect to previous page with error on failure.
    */
    public bool $redirect = false;

    /**
    * --------------------------------------------------------------------------
    * CSRF SameSite
    * --------------------------------------------------------------------------
    *
    * Setting for CSRF SameSite cookie token.
    *
    * Allowed values are: None - Lax - Strict - ''.
    *
    * Defaults to `Lax` as recommended in this link:
    *
    * @see https://portswigger.net/web-security/csr...te-cookies
    *
    * @deprecated `Config\Cookie` $samesite property is used.
    */
    public string $samesite = 'Lax';
}

any ideas why it happen?

php 8.1.12
codeigniter 4.3.2
Reply
#2

(This post was last modified: 03-17-2023, 02:47 AM by captain-sensible. Edit Reason: forgot to add some points )

no idea but in a form this works for me :

Code:
<div class ="flex2">
    <div class ="content">
    <div class="d-flex justify-content-center">
            <?= form_open_multipart('newblog'); ?>
            <?= csrf_field() ?>

then the controller that accepts the data from the form , check with:

Code:
$lucky= $this->request->getVar(csrf_token());
CMS CI4     I use Arch Linux by the way 

Reply
#3

(03-17-2023, 02:45 AM)captain-sensible Wrote: no idea but in a form this works for me :

Code:
<div class ="flex2">
<div class ="content">
<div class="d-flex justify-content-center">
      <?= form_open_multipart('newblog'); ?>
<?= csrf_field() ?>

then the controller that accepts the data from the form , check with:

Code:
$lucky= $this->request->getVar(csrf_token());

I noticed that you are using form_open function. If i'm not wrong, form open include automatically the csrf_field and in the controller it is not necessary to check for csrf validation because CI4 do it by itself. I've tried to set regeneration to false for now, just to test if the security exception happens again. The project is actually in use for work from my company and for now it seems to work but yesterday it did the same: working for all the day and in the evening pull out the security exception. I was thinking that the problem may be caused by 2 users logged in that do different posts action and update the csrf token value, but i'm not sure of it beacause with tests i can't reproduce the issue (even with 2 users). Waiting until the end of the day to check if the problem still occurs
Reply
#4

It happened again right now. I left the login page opened for a long time (2 hour more or less) and i was not logged in. Now i tried to login and it throw me the access forbidden exception. Tried again and it let me login. Maybe if i leave the page opened and the csrf session cookie expire, it will not regenerate itself even with the hidden input in the form?
Reply
#5

Yes, if the Session or CSRF cookie is expired, CSRF error occurs.
Because the CSRF protection is to check the token value in Session/Cookie is the same with the POSTed token.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB