Codeigniter 2.0 CSRF Problem |
[eluser]lennierb5[/eluser]
I had CSRF protection set to TRUE and ran into the following problem: If my $config['base_url'] was set to something like "http://mydomain.com/myproject/" and I attempted to login / submit form data from the site http://www.mydomain.com/myproject/ it generates the error: An Error Was Encountered The action you have requested is not allowed. The same thing happens if you try http://myip/myproject and try to submit data it seems like it must exactly match the hostname supplied in $config['base_url']. Everything works fine if my hostname is exactly as supplied in the $config['base_url']. Any ideas on how to fix this without turning off the CSRF protection?
[eluser]WanWizard[/eluser]
Fix your form actions, always construct them using base_url().
[eluser]lennierb5[/eluser]
My form action is correct since I use form_open() from the Form Helper. This problem arises when the base_url does not match where the user is currently. If the user is at http://mydomain.com/myproject and tries to login with a form action of http://www.mydomain.com/myproject or http://myip/myproject it produces the error.
[eluser]Twisted1919[/eluser]
Code: if(isset($_SERVER['HTTP_HOST']))
[eluser]lennierb5[/eluser]
I can see where something like this would work but is this working as intended where you have to make a script to determine your base_url host for the CSRF protection to work?
[eluser]WanWizard[/eluser]
How can the base_url be different from the host in the current URL? It shouldn't. That still means you have a configuration issue. If you allow multiple hostnames to resolve to the same site, you have to use the code Twisted1919 posted (which looks quite familiar?), to make sure the base_url() always follows the hostname.
[eluser]Bastian Heist[/eluser]
Using two domains for the same application isn't such a good approach anyway. Why not just do a redirect from domain.com to www.domain.com and get rid of that problem?
[eluser]lennierb5[/eluser]
This really is only a problem with the initial login since all the links after that use the base_url. Since most sites can be accessed by www.thedomain.com , thedomain.com and sometimes their direct IP address I figured there would be something built into CI to recognize this. If the DNS doesn't resolve I still want users to be able to access the site via IP address if need be. I guess for this to work I will have to use the code above or disable the CSRF protection. |
Welcome Guest, Not a member yet? Register Sign In |