[PaulC]

Hi Team - I'm a novice so please be gentle!

I am helping maintain a CI 2.2 installed website and am trying to get a callback working from a 3rd party (Webpurify)

I can see the response in the apache2 log (running on Ubuntu), and I have added a route so that the function parameter is correctly interpreted.

However, the code (php) is never called.

If I copy the callback URL and paste it into my browser, it works! (ie the post processing code works fine and I get a DB update etc.)

I suspect .htaccess but if it works from my browser I'm not convinced.

I also noticed in the apache2 log that when the http GET data is suffixed by a brwoser list it seems to work and when it is suffixed by "Webpurify(callback)" it fails. Is there somewhere in CI I need to tel it to accept this callback?

Any help greatly appreciated,

Thanks, Paul

[Martin7483]

Is the website using CSRF protection? If so, that is the reason for the callback not running. The 3rd party is calling the URL without the token and thus the page call will fail.

[PaulC]

Is the website using CSRF protection? If so, that is the reason for the callback not running. The 3rd party is calling the URL without the token and thus the page call will fail.

Thanks Martin for the suggestion. I had to look it up ...

So I checked the installed Apache2 modules and CSRFProtector is not installed.
I believe we have a vanilla Ubuntu 14.02 so unless there is something else within the OS I'm pretty sure this is not the cause.

Any other ideas please?

Or just in case how would I enable an exception?

Cheers

[PaulC]

Hi Team, I still have hit a brick wall with this.
I have played with .htaccess a bit without success.
I cannot see why apache2 would ignore my callback user-agent "WebPurify(callback)" - there appears to be loads of stuff on how to allow/deny specific user-agents but I cannot see why this is anything to do with my problem as posting the callback URL into my browser makes it all work ok.
How do I trace the posting of the GET data to whether or not CI starts a session or not? I can enable profiling in the controller but this is a background process so how would I see it?
Any pointers appreciated, thx

[dave friend]

The reference to CSRF has to do with your CodeIgniter configuration and with how you are calling the callback. The reference is not about server configuration. Is the call done through AJAX using POST?

[Martin7483]

The reference to CSRF has to do with your CodeIgniter configuration and with how you are calling the callback. The reference is not about server configuration.  Is the call done through AJAX using POST?

What he said

If your CI is setup using CSRF protection then the callback could be failing because of the missing CSRF token. When using CSRF in CodeIgniter, CodeIgniter will add a hidden form element with the CSRF token set in it. On every POST call CodeIgniter will check if the CSRF token is present and still valid. A lot of 3rd party applications use CURL POST call to execute the callback URI.

Check your CI config ./application/config/config.php and look for line 469

PHP Code:

$config['csrf_protection'] = ...; 


If set to TRUE then this is probably what is causing your problem.

You can add the callback URI to the exclude uri array and it all should work.

PHP Code:

$config['csrf_exclude_uris'] = array(); 


[Suresh_Kuppam]

You can add the callback Url by excluding the url array and it all should work with the PHP.

$config['csrf_exclude_uris'] = array();

[PaulC]

Thanks for all comments. I have been working on this for quite soime time now.

The csrf setting is false. (against best advice - so something else on the list).

I have been tracing rewrite rules and as far as I can see in the logs the callback url (uri?) is being processed the same way as me pasting it into my browser. However, the paste method kicks off a CI session whilst the callback does not.

I have just been looking into the php logs I have and I noticed a comment "Session cookie could not be found". Looking at the various other sess-* config items we seem to have $config['sess_match_useragent']    = true;

I confess I don't fully understand the importance or not of the session, so a few questions:

1) Could the fact that the callback doesn't have any session context be causing CI to ignore it?
2) Its very unlikely the 3rd party issuing the callback will store our cookie, so could this be the problem?
3) How do I allow some sort of exception?

Just for info this is a typical callback as logged by apache2:

166.78.8.185 - - [11/Apr/2017:20:39:42 +0100] "GET /moderation/image_callback/1142?imgid=1a4a73bb9a0bc5f34658fc2c9f915f30&status=1 HTTP/1.1" 301 648 "-" "WebPurify(callback)"

moderation.php is a controller, image_callback a function, 1142 a single parameter, and when CI works it processes the 2 values.

Thanks again Paul

[dave friend]

Just for info this is a typical callback as logged by apache2:

166.78.8.185 - - [11/Apr/2017:20:39:42 +0100] "GET /moderation/image_callback/1142?imgid=1a4a73bb9a0bc5f34658fc2c9f915f30&status=1 HTTP/1.1" 301 648 "-" "WebPurify(callback)"

Based on the above we can definitely rule out CSRF. The callback is via GET and CSRF is only considered for POST requests.

The 301 after "HTTP/1.1" indicates the request is a redirect. That could well be due to .htaccess actions. But since you say that with an actual callback from Webpurify the method runs but does not produce the desired result it is unlikely that .htaccess is the problem.

If the callback requires access to session data that may be why the work doesn't get done. On further thought, if session data is involved that's very likely the problem.

Consider posting your session and cookie config settings - someone might spot a setup problem.

If you're not setup with xdebug so you can step through execution line by line then the CI function log_message can be your friend. Put calls like this in the callback to check on items of interest.

PHP Code:

log_message('error', 'Variable X has a valueof:'. var_export($X, TRUE)); 


Or, if you just want to note certain point is reach in a method

PHP Code:

log_message('error', "About to call function doStuff");
//doStuff is called, did it return?
log_message('error', "doStuff returned and set var x to:".var_export($x, TRUE)); 


Hope this helps.

[ryanjoseph]

I have been seeing a similar problem: The callback url IS being accessed, but somehow between last night and this morning, the callback has stopped posting the required JSON. No change had been made to my url code, until after the problem was detected, and even then it was simply changed to dump the posted contents, for debugging: nothing came up.

This is a somewhat urgent problem, because now none of our archives are being processed appropriately. What can we do?

Thank you...