• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Weird CSRF Problem

#1
[eluser]srpurdy[/eluser]
Hi,

I'm having a weird issue with CSRF and paypal. I know there is other topics about this, but for some reason none of them actually work properly.

For Example:
If you have a CSRF Enabled Application with paypal. Paypal IPN will fail. This is obvious to me.

Their is a couple of solutions the main one is code like this.
Code:
if(stripos($_SERVER["REQUEST_URI"],'/paypal') === FALSE)
  {
  $config['csrf_protection'] = TRUE;
  }
else
  {
  $config['csrf_protection'] = FALSE;
  }

Now in the first example if you do a paypal transaction you would get an error like "This Action is not allowed"

With the above code in the config file. I don't get this error message. However every single time the IPN fails. The status returns as from what I can tell blank. Which I guess triggers a failed event.

I know it works as it does work without CSRF Enabled. So My question is why would it fail. What could cause the IPN to fail in this situation. Since it seems CSRF is off because I don't get any error message. The weird thing is I had this working fine several months ago, and suddenly (maybe in the latest CI Version) this has changed. (I think 2.1.0 it worked fine). The weird part is I do get back the correct information in my log from paypal just that the status comes back as failed.

I have a feeling it has something to do with fsockopen() which is called in a library so it doesn't have a controller where that action takes place. Obviously it has something to do with CSRF But I can't seem to disable it where it needs to be disable apparently.

Any suggestions?


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.