Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion Tank Auth with CSRF Protection on
Tank Auth with CSRF Protection on
  • El Forum
    Guest
  •  
#1
04-05-2011, 05:23 PM

[eluser]llamasam[/eluser]
Hi, i have been struggling to find a solution to this for hours now. If i have CRSF Protection enabled in CI i get a problem with tank auth's validation on the login form. If the form is submitted and login fails, when the form is re-submitted i get:

An Error Was Encountered
The action you have requested is not allowed.

Which i have figured out that its to do with csrf but how to fix it is beginning to become incredibly frustrating!

Any help would be much appreciated, I know a few other people have had this problem aswell.

Thanks
  • El Forum
    Guest
  •  
#2
04-06-2011, 10:11 AM

[eluser]llamasam[/eluser]
Can anyone help with this please its driving me insane!
  • El Forum
    Guest
  •  
#3
04-06-2011, 01:05 PM

[eluser]CroNiX[/eluser]
If CSRF is enabled, you need to pass the token in ALL of your forms. Its just a hidden form field that gets submitted with the rest of the form data.
  • El Forum
    Guest
  •  
#4
04-06-2011, 01:09 PM

[eluser]CroNiX[/eluser]
Using the CI form helper, form_open(), will add this automatically as well.
  • El Forum
    Guest
  •  
#5
04-07-2011, 11:26 AM

[eluser]llamasam[/eluser]
Yep ive used the form_open the token is definately there, the problem is with re-submit the form after validation has failed. I think the problem has something to do with the csrf_verify method in CI's Security class:

Code:
public function csrf_verify()
    {
        // If no POST data exists we will set the CSRF cookie

// Here seems to be one problem as the $_POST array has
// data in it after an invalid submission has been made
        if (count($_POST) == 0)
        {
            return $this->csrf_set_cookie();
        }

        // Do the tokens exist in both the _POST and _COOKIE arrays?
        if ( ! isset($_POST[$this->csrf_token_name]) OR ! isset($_COOKIE[$this->csrf_cookie_name]))
        {
            $this->csrf_show_error();
        }

        // Do the tokens match?
        if ($_POST[$this->csrf_token_name] != $_COOKIE[$this->csrf_cookie_name])
        {
            $this->csrf_show_error();
        }

// Here seems to be another problem, if i comment out the unset $_POST
// lines it seems to work, but i am uncertain of whether doing this
// would have negative effect on the way the CSRF protection works in CI

        // We kill this since we're done and we don't want to polute the _POST array
        unset($_POST[$this->csrf_token_name]);

        // Nothing should last forever
        unset($_COOKIE[$this->csrf_cookie_name]);
    
        $this->_csrf_set_hash();
        $this->csrf_set_cookie();

        log_message('debug', "CSRF token verified");
    }

It doesn't seem logical that this method doesn't take server side validation into account. Does anyone have any suggestions of how to extend this method or class so that it does?

I have a few ideas but how can the errors that get returned from the form helper be accessed from this class?




Theme © iAndrew 2016 - Forum software by © MyBB