Welcome Guest, Not a member yet? Register   Sign In
wrong csrf cookie name?

I'm setting my csrf cookie and token in config.php as follows:

$config['csrf_token_name'] = 'csrf_token';
$config['csrf_cookie_name'] = 'csrf_cookie';

On my dev site, everything works fine. When I view the cookies on my prod site, the cookie is named ci_csrf_token. Why isn't it named csrf_token?

Other cookie config (with domain name changed, but structurally representative).

$config['cookie_prefix']    = "";
$config['cookie_domain']    = ".mydomain.com";
$config['cookie_path']      = "/";
$config['cookie_secure']    = FALSE;


I've had the same problem. When I checked the core "Security" class I noticed it never uses those two config values. In the constructor the cookie prefix is added but it doesn't use the "csrf_token_name" and "csrf_cookie_name" config values.

I added the following two lines to the constructor to solve this:
$this->_csrf_token_name = config_item('csrf_token_name');
$this->_csrf_cookie_name = config_item('csrf_cookie_name');

But this seems to be a bug no?

Yes, thanks. It's a known bug.

The problem was that I had rolled back to 2.0.1 in my dev environment, but had not yet done so in my prod environment (which isn't actually in production yet)

Theme © iAndrew 2016 - Forum software by © MyBB