Login

alex3410 · 01-24-2018, 04:48 AM

Hey guys,

I am really hoping you can help me get to the bottom of this, I have messed around with CI before but this is the first time I am actually trying to build a site with it. I have had some teething issues but have been able to find solutions to them but this one really has me stumped.

I am trying to add a form to a page (search bar) and have been getting various errors, the latest one is:

Quote:Invalid CSRF token.

this occurs when you try and submit the form, i have tried multiple 'fixes' via googling but nothing seems to do the trick my latest code is:

head.php - header of the site loading the search bar into the top of each page

Code:
   <!-- Start Searchbox -->

    <form class="searchform" method="POST" action="<?php echo site_url('stock/search');?>">

      <input type="text" class="searchbox" id="searchbox" name="searchTerm" placeholder="Search">

      <span class="searchbutton"><i class="fa fa-search"></i></span>

      <input type="hidden" name="<?php echo $this->security->get_csrf_token_name();?>" value="<?php echo $this->security->get_csrf_hash();?>">

    </form>

    <!-- End Searchbox -->

config.php

Code:
*/

$config['csrf_protection'] = TRUE;

$config['csrf_token_name'] = 'MLLTokenName';

$config['csrf_cookie_name'] = 'MLLCookieName';

$config['csrf_expire'] = 7200;

$config['csrf_regenerate'] = FALSE;

$config['csrf_exclude_uris'] = array();

/*

I am really hoping I have done something simple & obviously wrong because it can't be this hard to insert a simple form into a CI page & i am just starting to get to grips with CI so its frustrating to be stuck on something like this.

Thank you for any help with this

all the best

Alex3410

dave friend · 01-24-2018, 06:51 AM

I'm not seeing any reason why that won't work. Maybe the cookie config is not right. Can you show those $config settings too?

alex3410 · 01-24-2018, 06:59 AM

Code:
$config['cookie_prefix']    = '';

$config['cookie_domain']    = '.mylocolist.com';

$config['cookie_path']        = '/';

$config['cookie_secure']    = FALSE;

$config['cookie_httponly']     = FALSE;

Thank you for your help with this

Cobblestone · 01-24-2018, 07:35 AM

When you use the form_open() helper of codeigniter and CSRF is enabled it will automatically add the hidden field with the CSRF code.

No need to enter the whole ...

Code:
<form class="searchform" method="POST" action="<?php echo site_url('stock/search');?>">

[color=#333333][font=monospace]     <input type="text" class="searchbox" id="searchbox" name="searchTerm" placeholder="Search">[/font][/color]

[color=#333333][font=monospace]     <span class="searchbutton"><i class="fa fa-search"></i></span>[/font][/color]

     <input type="hidden" name="<?php echo $this->security->get_csrf_token_name();?>" value="<?php echo $this->security->get_csrf_hash();?>">

just use

Code:
echo form_open(site_url('stock/search'));

echo "     <input type="text" class="searchbox" id="searchbox" name="searchTerm" placeholder="Search">

     <span class="searchbutton"><i class="fa fa-search"></i></span>";

or something along those lines.
This might not be your solution but could get rid of potential wrong csrf numbers

alex3410 · 01-24-2018, 08:09 AM

PHP Code:
   <?php echo form_open(site_url('stock/search')); ?>

      <input type="text" class="searchbox" id="searchbox" name="searchTerm" placeholder="Search">

<?php echo form_close();?>

Gives the same error:

Quote:Invalid CSRF token.

I have noticed that if I get the above error and hit refresh I get:

Quote:An Error Was Encountered

The action you have requested is not allowed.

looking in the log file, i can't see anything to indicate whats going wrong:

Quote:INFO - 24-01-2018 15:06:43 --> Config Class Initialized
INFO - 24-01-2018 15:06:43 --> Hooks Class Initialized
DEBUG - 24-01-2018 15:06:43 --> UTF-8 Support Enabled
INFO - 24-01-2018 15:06:43 --> Utf8 Class Initialized
INFO - 24-01-2018 15:06:43 --> URI Class Initialized
INFO - 24-01-2018 15:06:43 --> Router Class Initialized
INFO - 24-01-2018 15:06:43 --> Output Class Initialized
INFO - 24-01-2018 15:06:43 --> Security Class Initialized
DEBUG - 24-01-2018 15:06:43 --> Global POST, GET and COOKIE data sanitized
INFO - 24-01-2018 15:06:43 --> CSRF cookie sent

Thank you for your help so far, it really has stumped me!

dave friend · 01-24-2018, 09:22 AM

It's good to test using form_open() and see that the problem persists. Your code for manually adding the hidden field looks perfectly valid to me so I would have been very surprised if form_open() did the trick.

All your $config values look solid too.

Are you using a standard http for the submit. Guess what I'm really asking is you're not using javascript to capture the submit event and posting via ajax or something are you?

Have you used the browser's web tool (or developer tool, or whatever) to look at what cookies are set, what the request headers look like, etc?

alex3410 · 01-24-2018, 01:11 PM

it is just a standard page i am not using JS for the form at all. (its why I am so frustrated with it)

The cookies set are:
Name:
MLLCookieName

Value:
d6f58cab651a4768600ee07f7a335b4b

Domain:
.mylocolist.com

Name:
PHPSESSID

Value:
34bd8t1eqmch09t53csk5pvdh7

Domain:
mylocolist.com

Edit:
If i set

Code:
$config['csrf_regenerate'] = FALSE;

It always comes up with: Invalid CSRF token.

if i set it to TRUE then i get:
Invalid CSRF token.

but if i refresh the page (resubmitting the form) i get

Code:
An Error Was Encountered

The action you have requested is not allowed.

And the value of MLLCookieName changes on each refresh

any thoughts?

Edit 2:
setting csrf_protection to FALSE or adding URL to csrf_exclude_uris also gives the error

Code:
Invalid CSRF token.

dave friend · 01-24-2018, 06:00 PM

When

PHP Code:
$config['csrf_regenerate'] = TRUE; 

It would be normal for the value of MLLCookieName to change after each POST request.
I'd say leave that config set to FALSE until it can be determined why things don't work.

The fact that you're still getting the error even after adding the URL to 'csrf_exclude_uris' is really suspicious.
According to the html you show that config should look like this

PHP Code:
$config['csrf_exclude_uris'] = array('stock/search'); 

If that's the setting (and that is the controller/method that actually handles the form) then CSRF checking should be completely bypassed.
That makes me wonder if the "search" method is doing some kind of check on its own (it shouldn't be) or if there
is a "hook" that is messing about with the CSRF.

To the best of my knowledge there isn't any error message with the exact text "Invalid CSRF token" in the CI core. So that kind of points to some custom code.

Or, maybe an old version? What version are you working with?

alex3410 · 01-25-2018, 02:51 AM

Quote:To the best of my knowledge there isn't any error message with the exact text "Invalid CSRF token" in the CI core. So that kind of points to some custom code.

Your absolutely correct, I had integrated an off the shelf login system at the start of the project - after a lot of troubleshooting your comment pointed me in the right direction and it was this login system I was autoloading in via a custom library that was causing the conflict.

When I installed it I tested it but it didn't present an issue until now.

Removing it altogether solved the issue!

Thank you for your help with this I really do appreciate it - its always so obvious when you finally get to the bottom of it. A good learning experience I suppose Tongue

What I need to do now is find a login/authentication system that works natively with CI.

Thank you again

**InsiteFX** · 01-25-2018, 04:48 AM

You can use either Community Auth or Ion Auth both are good with CodeIgniter.

What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009. ( Skype: insitfx )