[eluser]llamasam[/eluser]
Yep ive used the form_open the token is definately there, the problem is with re-submit the form after validation has failed. I think the problem has something to do with the csrf_verify method in CI's Security class:
Code:
public function csrf_verify()
{
// If no POST data exists we will set the CSRF cookie
// Here seems to be one problem as the $_POST array has
// data in it after an invalid submission has been made
if (count($_POST) == 0)
{
return $this->csrf_set_cookie();
}
// Do the tokens exist in both the _POST and _COOKIE arrays?
if ( ! isset($_POST[$this->csrf_token_name]) OR ! isset($_COOKIE[$this->csrf_cookie_name]))
{
$this->csrf_show_error();
}
// Do the tokens match?
if ($_POST[$this->csrf_token_name] != $_COOKIE[$this->csrf_cookie_name])
{
$this->csrf_show_error();
}
// Here seems to be another problem, if i comment out the unset $_POST
// lines it seems to work, but i am uncertain of whether doing this
// would have negative effect on the way the CSRF protection works in CI
// We kill this since we're done and we don't want to polute the _POST array
unset($_POST[$this->csrf_token_name]);
// Nothing should last forever
unset($_COOKIE[$this->csrf_cookie_name]);
$this->_csrf_set_hash();
$this->csrf_set_cookie();
log_message('debug', "CSRF token verified");
}
It doesn't seem logical that this method doesn't take server side validation into account. Does anyone have any suggestions of how to extend this method or class so that it does?
I have a few ideas but how can the errors that get returned from the form helper be accessed from this class?