CI 2: "The action you have requested is not allowed."

[eluser]solid9[/eluser]
*bump*

[eluser]kroguz[/eluser]
hmmm....I have the same issue here......All my browsers (Firefox, Safari, IE, Google Chrome) work except for Opera.

I think my problem is that my php server (I am using xampp [for testing]) can't read the cookies of Opera or Opera woudn't let it read the cookies.

Why am i talking about cookies? The CSRF protection in codeigniter requires cookies for it to work. The Server takes the CSRF hash from your cookies and compares it to the CSRF in the POST request.

To ensure my guess was correct (that opera wouldn't let my server read the cookies or vice vera) and that problem was not made by Codeigniter, I created a new directory with one index.php file. (The content was hosted on my xampp server)

The content was:

Code:

<?php
$name = 'whatisyourproblemopera';
setcookie('name',$name,time() + (86400* 7));
print_r($_COOKIE);
?>

(I had to refresh the page twice, because otherwise i wouldn't have gotten the newly set cookie.)

The cookie was created in ALL Browsers even Opera, but when I tried to print the content of the $_COOKIE, I get nothing from Opera........FF, Chrome, Safari, IE returned the content of the cookie, but Opera didn't.

The result was that was returned from all browsers except opera was "Array ( [name] => whatisyourproblemopera )"

So,.....

EDIT: I just uploaded the same script to my website (domain) and this time Opera returned the content of the Cookie

Seems like my locally hosted server can't read the cookies of Opera or Opera wouldn't let it......Or it could also be that Opera doesn't return cookies that aren't stored in domains ^^..........

Example:

Cookie Name - Cookie Path - Site name => Opera Result

Cookie1 - "/" - localhost => None (cookie is created, but content not returned)
Cookie2 - "/" - 12.0.0.2 => None (cookie is created, but content not returned)
Cookie3 - "/" - example.com => true (cookie is created and its content is returned)

xD....it's a funny world


EDIT2: well that's awkward, I pressed some random buttons and then clicked 5 ties the F5 button the opera return the content of the cookies on my localhost and ip address :d

What's this freaking problem.......It's killing me......

[eluser]InsiteFX[/eluser]
Read this

[eluser]csotelo[/eluser]
Hello, this information is really useful, should see it in the manual ... took several minutes looking for a solution to this.

I think for where CSRF protection is used, it would be better to fully use the form helpers. And in the case of $. Ajax, use serialize (), or manually enter ALL the form fields.

Greetings.

[eluser]DougW[/eluser]
I am having a strange problem with a Facebook app. I use CSRF on my main site. I have a facebook app located at mydomain.com/subdir. This URL works fine in a browser but when run under Facebook I get the error we are all talking about. What is really strange is that I don't have ANY forms on this page! What can be causing it? Any ideas? Why would it work in a browser and not on Facebook?

[eluser]Kobus M[/eluser]
[quote author="Ricardo Martins" date="1299034070"]I have a similar problem.
I have a method on a controller, that will receive $_POST data from an external webservice.
How can I disable CSRF only for this method?

I also tried $this->config->set_item('csrf_protection', FALSE);
but it doesnt work.

Thank you very much[/quote]

Sorry for resurrecting this, but I ran into this as well, and found another solution that may help someone.

In my case, I do an Ajax post, and thus also got the same problem that you all got. I have solved it by doing this:

Code:

$.post("' . base_url() . 'contact/admin/reorder_items/' . $form . '" + order, {' . $this->security->get_csrf_token_name() . ' : "' . $this->security->get_csrf_hash() . '"});

Instead of this:

Code:

$.post("' . base_url() . 'contact/admin/reorder_items/' . $form . '" + order, function(reorderResponse) {});

within my $.post() call.

Regards,

Kobus

[eluser]Cope99[/eluser]
I've found a solution to this problem which is quite simple. I removed the div with the display:none style surrounding the csrf_protection input. The div is not relevant since the input type is set to hidden.
In CodeIginiterFolder/system/helpers/form_helper.php, I changed the following content (around line 75) :

Code:

if (is_array($hidden) AND count($hidden) > 0)
{
$form .= sprintf("<div >%s</div>", form_hidden($hidden));
}

for the following one :

Code:

if (is_array($hidden) AND count($hidden) > 0)
{
$form .= form_hidden($hidden);
}

[eluser]InsiteFX[/eluser]
1) You should never change a CodeIgniter system file!

If you need to change a CodeIgniter system file you create a MY_ class or helper or extend the class.

.application/helpers/MY_form_helper

Then make the changes.

[eluser]Cope99[/eluser]
I've submitted the push request on github for the next version and it has been approved, so I don't see a problem making this modification. I know it's not a good practice, but on the next version, it will be included, if ever its release. This won't cause any more problem and will solve the "THE ACTION YOU HAVE REQUESTED IS NOT ALLOWED." error.
The exact syntax is the following :

Code:

if (is_array($hidden))
{
  foreach ($hidden as $name => $value)
  {
   $form .= '<input type="hidden" name="'.$name.'" value="'.form_prep($value).'"  />'."\n";
  }
}