How to disable CSRF temporaly for callback controllers ? |
[eluser]jpwdesigns[/eluser]
HI thanks for the post first of all. I've got the Code: if(stripos($_SERVER["REQUEST_URI"],'/callbacker') === FALSE) However, I have a controller on a cron which runs the page not through wget in order to avoid session overhead etc... like this: cd /var/www/vhosts/mydomain.com/httpdocs; /usr/bin/php index.php controlername classname This causes an error because the Request Uri isn't there. Code: <h4>A PHP Error was encountered</h4> How can I get around that?
[eluser]Ricardo Martins[/eluser]
try to use $_SERVER['SCRIPT_FILENAME'] == /path/to/file.php instead of request_uri
[eluser]jpwdesigns[/eluser]
unfortunately that produces a file path to index.php
[eluser]jpwdesigns[/eluser]
Ok, here is the solution (hack) i've got working for anyone else needing it: Code: if (isset($_SERVER["REQUEST_URI"]))
[eluser]Jacob Graf[/eluser]
Works great! Wish there was a more elegant solution, but this will do for now. Thanks!
[eluser]solid9[/eluser]
Okay these codes below worked for me, Code: if(stripos($_SERVER["SCRIPT_FILENAME"],'reset_password_final')==FALSE) But I don't know how to use this below, Code: $config['csrf_exclude_uris'] = array('api/person/add'); Anyone would like to explain to me how to use the last code? thanks in advanced.
[eluser]CroNiX[/eluser]
if the URL is www.theirsite.com/api/person/add, CSRF will not be run.
[eluser]Unknown[/eluser]
Here's my solution which is not a hack and uses Eric Barnes whitelist code check. What I also needed is control over what to do when encountering a CSRF error. CI just trows an error out of the box, which is not quite user friendly. So I extended the Security class to include the whitelist code and to use a variable instead of throwing an error message when the CSRF check fails. Then you should have a base controller whose constructor checks the variable to handle the CSRF error when it occurs. Here's an example that just redirects the user to the current url: Code: <?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); The only thing you have to watch out with this method is to properly handle the CSRF error on all your routes, otherwise your application's CSRF security will be voided. You should never let go through a request which's CSRF check has failed, so you should at least do a redirect or throw out an error. I hope that this will be useful for some of you, cheers! And here is the Security class code: Code: <?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
[eluser]theshiftexchange[/eluser]
Damn - I just found this post after I made my own solution. Oh well - incase people were wondering - this is my current solution for 2.1. This allows me to turn off CSRF for a specific URI. Could be improved - but you get the idea. MY_Security.php Code: <?php in my case "welcome/remote" is my specific controller/function I dont want CSRF on. |
Welcome Guest, Not a member yet? Register Sign In |