Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming csrf cookie notice
csrf cookie notice
  • El Forum
    Guest
  •  
#1
04-29-2012, 07:04 AM

[eluser]ExWizzard[/eluser]
So i enabled csrf and i extended the csrf_show_error() function and removed the show_error() part so when the cookie expires, the form will just be submitted again and a new cookie will be generated instead of showing the error, everything works great but i get that notice in the log and im wondering if there is something wrong or just harmless notice, i did rename the cookie in the config to csrf_u_cookie



Code:
<?php if (! defined('BASEPATH')) exit('No direct script access allowed');

class MY_Security extends CI_Security {

    public function __construct()
    {
        parent::__construct();
    }

    public function csrf_show_error()
    {
        //show_error('The action you have requested is not allowed.' );
        log_message('info', 'CSRF expired');
    }

}
?>



Code:
INFO  - 2012-04-29 15:55:55 --> CSRF expired
ERROR - 2012-04-29 15:55:55 --> Severity: Notice  --> Undefined index: csrf_u_cookie /system/core/Security.php 147
INFO  - 2012-04-29 15:55:55 --> CSRF expired
DEBUG - 2012-04-29 15:55:55 --> CRSF cookie Set
DEBUG - 2012-04-29 15:55:55 --> CSRF token verified
  • El Forum
    Guest
  •  
#2
05-03-2012, 04:55 AM

[eluser]vrencianz[/eluser]
Browsers don't send expired cookies to web servers. If such a think happens then you are a CSRF attack victim or a hacker tries to re-send an expired cookie (who knows why?).

Sp, think twice before implement such a functionality Smile.
  • El Forum
    Guest
  •  
#3
05-03-2012, 07:14 AM

[eluser]ExWizzard[/eluser]
Any idea then how i would make it so the user does not see the show_error() then? Its kinda "negative" and a user might get upset or something and never come back. I did bump the expire time to 24h
  • El Forum
    Guest
  •  
#4
05-03-2012, 10:25 AM

[eluser]vrencianz[/eluser]
Sorry, I am a bit confused Smile.

Could you submit a sample code, please? In a normal scenario that error must not

Be sure that <b>form_open()</b> is used to generate the form tag in your view?
  • El Forum
    Guest
  •  
#5
05-03-2012, 10:40 AM

[eluser]ExWizzard[/eluser]
Yes its form_open(), if a user uses the form, and then on that same page deletes his cookies (or let them expire), they will get the error
  • El Forum
    Guest
  •  
#6
05-03-2012, 11:10 AM

[eluser]CroNiX[/eluser]
Not much you can do if a user chooses to delete their cookies while in session... 99.99999% of visitors wouldn't ever do that.
  • El Forum
    Guest
  •  
#7
05-03-2012, 12:13 PM

[eluser]skunkbad[/eluser]
If somebody goes to your page with the form, then waits so long to submit the form that they have problems with cookie expiration, then that's not really your problem. If you are worried about it, maybe you can use javascript to put a click event on all form elements, test if the cookie has expired, then alert the user that their form will not post correctly and to refresh the page (or login). Another idea would be to a monitor on the page letting the user know that their session was going to expire, and if it expires they get redirected somewhere.
  • El Forum
    Guest
  •  
#8
05-04-2012, 04:43 PM

[eluser]ExWizzard[/eluser]
Thanks for the good suggestions




Theme © iAndrew 2016 - Forum software by © MyBB