Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Codeigniter 2.0 CSRF Problem
Codeigniter 2.0 CSRF Problem
  • El Forum
    Guest
  •  
#1
12-04-2010, 04:16 PM

[eluser]lennierb5[/eluser]
I had CSRF protection set to TRUE and ran into the following problem:

If my $config['base_url'] was set to something like "http://mydomain.com/myproject/" and I attempted to login / submit form data from the site http://www.mydomain.com/myproject/ it generates the error:

An Error Was Encountered
The action you have requested is not allowed.

The same thing happens if you try http://myip/myproject and try to submit data it seems like it must exactly match the hostname supplied in $config['base_url'].

Everything works fine if my hostname is exactly as supplied in the $config['base_url'].

Any ideas on how to fix this without turning off the CSRF protection?
  • El Forum
    Guest
  •  
#2
12-04-2010, 05:19 PM

[eluser]WanWizard[/eluser]
Fix your form actions, always construct them using base_url().
  • El Forum
    Guest
  •  
#3
12-04-2010, 06:49 PM

[eluser]lennierb5[/eluser]
My form action is correct since I use form_open() from the Form Helper. This problem arises when the base_url does not match where the user is currently. If the user is at http://mydomain.com/myproject and tries to login with a form action of http://www.mydomain.com/myproject or http://myip/myproject it produces the error.
  • El Forum
    Guest
  •  
#4
12-05-2010, 07:30 AM

[eluser]Twisted1919[/eluser]
Code:
if(isset($_SERVER['HTTP_HOST']))
{
    $config['base_url'] = isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on' ? 'https' : 'http';
    $config['base_url'] .= '://'. $_SERVER['HTTP_HOST'];
    $config['base_url'] .= str_replace(basename($_SERVER['SCRIPT_NAME']), '', $_SERVER['SCRIPT_NAME']);
}
else
{
    $config['base_url'] = 'http://localhost/';
}
  • El Forum
    Guest
  •  
#5
12-05-2010, 09:37 AM

[eluser]lennierb5[/eluser]
I can see where something like this would work but is this working as intended where you have to make a script to determine your base_url host for the CSRF protection to work?
  • El Forum
    Guest
  •  
#6
12-05-2010, 10:31 AM

[eluser]WanWizard[/eluser]
How can the base_url be different from the host in the current URL? It shouldn't.

That still means you have a configuration issue. If you allow multiple hostnames to resolve to the same site, you have to use the code Twisted1919 posted (which looks quite familiar?), to make sure the base_url() always follows the hostname.
  • El Forum
    Guest
  •  
#7
12-06-2010, 07:20 AM

[eluser]Bastian Heist[/eluser]
Using two domains for the same application isn't such a good approach anyway. Why not just do a redirect from domain.com to www.domain.com and get rid of that problem?
  • El Forum
    Guest
  •  
#8
12-06-2010, 11:25 AM

[eluser]lennierb5[/eluser]
This really is only a problem with the initial login since all the links after that use the base_url. Since most sites can be accessed by www.thedomain.com , thedomain.com and sometimes their direct IP address I figured there would be something built into CI to recognize this. If the DNS doesn't resolve I still want users to be able to access the site via IP address if need be. I guess for this to work I will have to use the code above or disable the CSRF protection.




Theme © iAndrew 2016 - Forum software by © MyBB