• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
CSRF makes problem on search page

#1
Hey guys,

I've created a search engine for my project and the CSRF_protection is TRUE for whole project.
At the menu bar i have login and signup button, which is needs CSRF to of the action.

I've disable the CSRF for search page because users will search for few things then maybe user wants to click on previous button (from browser) to see the previous search. If CSRF be TRUE will show the error page and i don't want it.
i disable the CSRF for only search page like this:
PHP Code:
$last_segment explode('/'$_SERVER["REQUEST_URI"]);
if (
end($last_segment) === 'results')
    { 
        
$config['csrf_protection'] = FALSE
    }else{ 
        
$config['csrf_protection'] = TRUE
    } 

now after doing this my login and signup doesn't works because the CSRF is FALSE.

who can help me in this to have search "without" CSRF and login/signup "with" CSRF ?

Thanks
Reply

#2
Hello

I would say there is no need to use the code snippet you posted. Just enable CSRF protection in your config file and set 'csrf_exclude_uri' as required.

http://www.codeigniter.com/userguide3/li...rgery-csrf

Hope this helps!
Reply

#3
thanks for reply,

I didn't get what i wanted, maybe i did wrongly.
here is what i did:
PHP Code:
$config['csrf_exclude_uris'] = array('http://localhost/index.php/search/results'); 
But seems CSRF still is enable for my search form!

what I'm doing is:
(page1) Search1: test one
(page2) Search2: test two

when i go back to the search1 page by clicking on the previous button on browser, now i wanna search again:
(page1)Search3: test tree
Then ill get this:
Code:
An Error Was Encountered
The action you have requested is not allowed.

what i need is the search box working without CSRF and login link works with CSRF !
Reply

#4
Hi! Why u just dont use GET for search? Then u will not have CSRF protection and problems with it Smile
Reply

#5
(12-13-2015, 05:20 AM)scion Wrote: Hi! Why u just dont use GET for search? Then u will not have CSRF protection and problems with it Smile

I'm trying to find a solution for this question not bypass the question. of course GET its okay but this is my challenge that i wanna do it Smile
Reply

#6
Any Idea?
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.