When I post data it throws a security error

I am a raw newbie and obviously doing something wrong. I have been developing software commercially since 1980, but this is my first foray into CodeIgniter4.

I have trawled through the documentation and Googled my way up many blind alleys over the past three days, so I truly have tried to figure it out for myself, but clearly I need assistance.

I have a simple login form app/Views/login. It asks for username and password and has a submit button.

I have a simple controller app/Controllers/Login as the default entry point to my application. It has two public functions: index and process.

Originally it had only the index function which tried to handle everything, but when I did a var_dump of the incoming data, it was always null, so I decided to split the logic for handling post data into a second function.

I have routes set as follows:

Code:

$routes->get('/', 'Login::index');
$routes->post('process', 'Login::process');

The first route works fine, but when I enter my username and password and hit the submit button, the second route throws a security error:

Code:

CodeIgniter\Security\Exceptions\SecurityException #403
The action you requested is not allowed.

The error information includes the 'Request' tab and I see my data present in the request as expected, but I have no idea why I am hitting a security error.

My topology is the web server and application run on a laptop in my office and I use my PC to connect to it. I get the same behaviour whether I use a browser on the server, or on my PC.

Both machines are running Fedora 38 and the latest Google Chrome browsers.

My problem is twofold: why was the arriving data reported as being null before I split the logic and why am I now getting a security error?

I am certain the answer is staring me in the face, but I just cannot see it.

I do not want to switch off security for obvious reasons, so I need to solve the problem rather than work around it.

Any suggestions would be gratefully received.

You use the csrf filter in app/Config/Filters.php the $globals property? If so, you need to look at the documentation https://codeigniter4.github.io/userguide...html-forms
Sample  code + in view template use form_open(), form_close()

PHP Code:

<?php
    // class Login

    public function login()
    {
        helper('form');

        if ('post' === $this->request->getMethod()) {
            $input = $this->request->getPost(null);
            
            // many action with post

            if (Services::validation()->run($input)) {
                // save process

                return redirect()->to('/');
            }
        }

        return view('/user/login', ['errors' => Services::validation()->getErrors()]);
    } 


Simple CI 4 project for beginners codeigniter-expenses ( topic )

I may have stumbled across the solution: in the documentation it states form_open() inserts a hidden csrf field into the form, but I could not see that anywhere.

After a bit more reading, I decided to add  "<?= csrf_field() ?>" to my view immediately following the form_open(). Now I no longer get a security error and the correct function is being called.

If this is not the correct solution, I would be grateful for any suggestions

---

You use the csrf filter in app/Config/Filters.php the $globals property? If so, you need to look at the documentation https://codeigniter4.github.io/userguide...html-forms
Sample  code + in view template use form_open(), form_close()

PHP Code:

<?php
    // class Login

    public function login()
    {
        helper('form');

        if ('post' === $this->request->getMethod()) {
            $input = $this->request->getPost(null);
            
            // many action with post

            if (Services::validation()->run($input)) {
                // save process

                return redirect()->to('/');
            }
        }

        return view('/user/login', ['errors' => Services::validation()->getErrors()]);
    } 


This is the same thing I was talking about. Only insert the csrf field manually. Mark the topic as resolved

Simple CI 4 project for beginners codeigniter-expenses ( topic )

This is the same thing I was talking about. Only insert the csrf field manually. Mark the topic as resolved

Yes, it has been resolved by realising the documentation regarding form_open() is misleading:
1. form_open() is not inserting the csrf field automatically as documented and I have to do that manually.
2. form_open() is documented to use $baseURL but it does not. form_open('login') generates a url "http://mysite/index.php/login", but form_open(base_url('login')) generates "http://mysite/login" which is digestible by Routes.php.

I am marking the thread as solved because I can move on by working around how the documentation differs from reality.

Many thanks for your help because the code snippet you posted is so much simple than my clumsy effort.

PHP Code:

<?= form_open('/admin/group/edit/user') ?> or <?= form_open() ?>

<form action="http://localhost:3000/admin/group/edit/user" method="post" accept-charset="utf-8">
<input type="hidden" name="csrf_test_name" value="c02f01c0fee24fb6322c8ad59ca266b4"> 


All working. But there is another problem with opening the form. 
If the 'csrf' config an empty 'except' array, then there will be no token.

PHP Code:

    public array $globals = [
        'before' => [
            'csrf' => [
                'except' => [
                    // csrf_token not insert
                    // 'api/*',
                ],
            ],
    ... 


Simple CI 4 project for beginners codeigniter-expenses ( topic )