Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming CSRF and disabled cookies
CSRF and disabled cookies
  • El Forum
    Guest
  •  
#1
07-10-2011, 03:18 PM

[eluser]Treeda[/eluser]
Hi there,

i'm currently facing an issue if you have csrf enabled but the user has cookies disabled.

The problem is that you cannot react to that. The security class is grabbing and verifying before you even have the chance to do anything in your controller.

It's very bad to show an error message to the user like
"The action you have requested is not allowed."

it should more like something "hey, you need cookies enabled".

This could be done very easily with some kind of a callback to the controllers.
  • El Forum
    Guest
  •  
#2
07-10-2011, 05:56 PM

[eluser]patwork[/eluser]
Try extending Security library:

Code:
class MY_Security extends CI_Security
{

    function csrf_show_error()
    {
        echo 'hey, you need cookies enabled';
        exit;
    }

}
  • El Forum
    Guest
  •  
#3
07-10-2011, 06:02 PM

[eluser]Treeda[/eluser]
Thanks, yes this is what i did, but i treat this as an imperfect temporary solution... maybe a someone have a different suggestion?
  • El Forum
    Guest
  •  
#4
07-12-2011, 04:55 AM

[eluser]Gilles_T[/eluser]
Hi,

In the middle of my upgrade from 1.7.3 to 2.0.2, I did struggle with this since yesterday and was about to get a headache reading all the clever 50 ways for fixing it - which by the way did not work. Hopefully, I found this link:

net.tutsplus.com/tutorials/php/protect-a-codeigniter-application-against-csrf/

Many Thanks to the guys there who expose clearly the why and the how of the CSRF.

Solution is to provide the token to the submitted controller via a hidden variable in the requesting view :

Code:
<input type="hidden" name="<?php echo $this->security->csrf_token_name; ?>" value="<?php echo $this->security->csrf_hash; ?>" />

Thus, the controller called by the submit knows that it was activated by a trusted page.

Hope it can help...
Have a good day
  • El Forum
    Guest
  •  
#5
07-12-2011, 04:59 AM

[eluser]Treeda[/eluser]
ehm you want to submit the hash along with the check code?
isn't that something like storing you CreditCards PIN right on the card? Smile

if i understood that right, this would turn csrf useless...

still need to read your link... thank you.
  • El Forum
    Guest
  •  
#6
07-12-2011, 05:17 AM

[eluser]Gilles_T[/eluser]
Not wrong... I must admit!

What is your suggestion then ?
  • El Forum
    Guest
  •  
#7
07-12-2011, 05:23 AM

[eluser]Treeda[/eluser]
well see my initial post, i'm looking for suggestions.

my problem was simply if cookies are not enabled, you fallback to the CIs error message and only can overwrite then in the security class or... yes doing what? more complex thing? for example an extension of the controller, i'm looking for expierence of others how to deal with that.

I think most people don't like visible php errors, mysql error, or even CI default errors on their production sites.




Theme © iAndrew 2016 - Forum software by © MyBB