• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
csrf_protection in codeigniter 2.0.2

#1
[eluser]zoreli[/eluser]
Hi everyone

I have simple login form in codeigniter (2.0.2). Frequently the following error is displayed:

An Error Was Encountered
The action you have requested is not allowed.


After short research I undertand that it is security issue connected with csrf_protection

In the config file my setting is the following:

Code:
$config['csrf_protection'] = TRUE;

My login form is open and closed with use of short tags, like this:

Code:
<?= form_open("/mycontroller/checklogin/process", array("method"=>"post","class"=>"login_form")) ?>

and I am closing the form like this:

Code:
<?= form_close() ?>

Reading on this forum for similar issues I found this solution, which when I implement it, didn't solve my problem:

Code:
<?=form_hidden($this->security->get_csrf_token_name(), $this->security->get_csrf_hash());?>

Error reamin. I am not checking this hidden field in my controller...Have no idea should I??

I also do not run form validation library in my controller. Should I?

Any help will be deeply appreciated.

Regards, Zoreli

#2
[eluser]InsiteFX[/eluser]
I added this to my controller:
Code:
$data = array(
        'csrf_hash' => $this->security->get_csrf_hash(),
        'csrf_name' => $this->security->get_csrf_token_name()
    );

And changed the hidden form field in my view to this:

Code:
<input type="hidden" name="<?php echo $csrf_name; ?>" value="<?php echo $csrf_hash; ?>" />

#3
[eluser]zoreli[/eluser]
Hi

I placed the code and it seemed to worked weill. Until I didn't tested it with Opera. As soon as I did that, bum, the nasty errror message has been displayed. I am getting lost now, really...

After some additional testing I notice that message has been shown only if you are trying first time to login, and you haven't login earlier. Once the cookie has been placed on your computer, it works, before that, you get the error message..

Regards,Zoreli

#4
[eluser]InsiteFX[/eluser]
Nope, I check all my code using IE9, FireFox 13 and Chrome. I did hear that Opera was having alot of problems along with Chrome.

Run Chrome and check the top of these forums.

#5
[eluser]zoreli[/eluser]
Hi

I didn't understand this part:

[quote author="InsiteFX" date="1342055792"]
Run Chrome and check the top of these forums.
[/quote]

Well I am using Chrome right now. Top of which forums?

Regards,Zoreli

#6
[eluser]InsiteFX[/eluser]
These forums look at the top red area with the advanced search.

#7
[eluser]zoreli[/eluser]
HI

After long testing...I am getting error from time to time in all browsers.

That is happening when I clear the cache and history. Then I get error in any browser.

My settings in the config are the following:

$config['csrf_protection'] = TRUE;

$config['csrf_token_name'] = 'one';
$config['csrf_cookie_name'] = 'two';
$config['csrf_expire'] = 7200;

I place the following code in the controller


$data = array(

'csrf_hash' => $this->security->get_csrf_hash(),
'csrf_name' => $this->security->get_csrf_token_name()
);



printing those both variables, return the folowing:

ci_csrf_token
b8c3ab208e59e08228f3b93ad3f38ffa

Any help will be deeply appreciated.

Regards,Zoreli

#8
[eluser]JoostV[/eluser]
When you clear cache and history you may well delete all session cookies as well. Did you check that the session started correctly before the first post? If not the token is not stored in session correctly.

You can easily check if this is the case. Open Firefox and go to the post page; delete all cookies using the Web Developer toolbar; load the page again; check if a session cookie has been set using the Web Developer toolbar.

#9
[eluser]CroNiX[/eluser]
[quote author="InsiteFX" date="1342056890"]These forums look at the top red area with the advanced search.
[/quote]
Looks fine to me.
Chrome (Win7/64) 20.0.1132.57 m

#10
[eluser]InsiteFX[/eluser]
I am running the same version as you CroNix and the blue advanced search button drops below the the inputbox also the username and password forgot password is dropping down a line.

But it works fine in IE9 and FireFox 13


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.