Welcome Guest, Not a member yet? Register   Sign In
Problme with Curl request and CSRF protection

Good morning, afternoon or evening, sorry for my English in advance.

I am porting to CI4 an old web application, and I am having the following problem when calling the API using Curl from another web application, it is made with CI3.

From that other application, although with different domain is on the same server, at a given time I make a POST request through Curl, but the communication fails and in the log generated by Curl I see that the problem is by CSRF. (I change the IP and URL for security reasons)

*  Trying 127.0.01:443...
* Connected to subdomain.myweb.com ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=OPNsense.localdomain; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
*  start date: Feb  5 21:12:35 2024 GMT
*  expire date: Mar  8 21:12:35 2025 GMT
*  issuer: CN=OPNsense.localdomain; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x563eb1e89480)
> POST /index.php/api/koolpass.php HTTP/2
Host: ubdomain.myweb.com
accept: */*
keep-alive: timeout=100, max=100
connection: keep-alive
content-length: 2491
content-type: application/x-www-form-urlencoded

* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 8)!
* We are completely uploaded and fine
< HTTP/2 403
* Added cookie PHPSESSID="70a3d8a88b2a1cf540d6eb984696275d" for domain ubdomain.myweb.com, path /, expire 0
< set-cookie: PHPSESSID=70a3d8a88b2a1cf540d6eb984696275d; path=/; secure; HttpOnly
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< cache-control: no-store, no-cache, must-revalidate
< pragma: no-cache
< content-type: text/html; charset=UTF-8
< content-length: 563
< date: Wed, 22 May 2024 11:28:38 GMT
< server: OPNsense
<html><head><title>CSRF check failed</title>
              $( document ).ready(function() {
                  'beforeSend': function(xhr) {
                      xhr.setRequestHeader("X-CSRFToken", "WHdKODJaeEdpd3BlemFjQStXQmVVdz09" );
                  <p>CSRF check failed. Your form session may have expired, or you may not have cookies enabled.</p>
                  </body></html>* Connection #0 to host educafestival.koolfest.com left intact

I have tried different configurations of CSRF, the same with Curl, but nothing, it keeps on failing and the truth is that I am already desperate.

This is the Curl code from the platform that sends the request:

PHP Code:
$ch curl_init();
$params http_build_query($params);
 if (
strtoupper($method) == 'POST'curl_setopt($chCURLOPT_POSTtrue);


$headers = [
'Keep-Alive: timeout=100, max=100',
'Connection: keep-alive'

// Verbose
$file fopen('curl.txt''w+');

 if (
curl_setopt($chCURLOPT_HTTPHEADER, array(
'Authorization: ' $apiKey

$resp curl_exec($ch);

And this is how I have configured the filter for CSRF, I even tried commenting it out.

PHP Code:
public array $globals = [
        'before' => [
            // 'honeypot',
            'csrf' => ['except' => ['api/*''index.php/api/*']],
            // 'invalidchars',
        'after' => [
            // 'honeypot',
            // 'secureheaders',

Thanks in advance

Hello, I think you should make sure that the request from the other application includes the CSRF token in the appropriate header or form field. In your Curl code, you're not explicitly setting the CSRF token. You can retrieve the CSRF token from the CI4 application and include it in your Curl request. For example, you can add the following line before making the Curl request:

curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'X-CSRFToken: ' . csrf_hash()

This assumes that you're using the default 'X-CSRFToken' header name for CSRF tokens in your CI4 application. Adjust the header name if you're using a different one.

It is not possible to get the correct CSRF for another domain/folder with the project. 

The except filter should have worked. Have you installed it on the requested domain?
Simple CI 4 project for beginners codeigniter-expenses

Theme © iAndrew 2016 - Forum software by © MyBB