• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Invalid CSRF token when submitting a form

#1
Hey guys,

I am really hoping you can help me get to the bottom of this, I have messed around with CI before but this is the first time I am actually trying to build a site with it. I have had some teething issues but have been able to find solutions to them but this one really has me stumped.

I am trying to add a form to a page (search bar) and have been getting various errors, the latest one is:
Quote:Invalid CSRF token.

this occurs when you try and submit the form, i have tried multiple 'fixes' via googling but nothing seems to do the trick my latest code is:

head.php - header of the site loading the search bar into the top of each page

Code:
   <!-- Start Searchbox -->
   <form class="searchform" method="POST" action="<?php echo site_url('stock/search');?>">
     <input type="text" class="searchbox" id="searchbox" name="searchTerm" placeholder="Search">
     <span class="searchbutton"><i class="fa fa-search"></i></span>
     <input type="hidden" name="<?php echo $this->security->get_csrf_token_name();?>" value="<?php echo $this->security->get_csrf_hash();?>">

   </form>





   <!-- End Searchbox -->


config.php
Code:
*/
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'MLLTokenName';
$config['csrf_cookie_name'] = 'MLLCookieName';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = FALSE;
$config['csrf_exclude_uris'] = array();

/*


I am really hoping I have done something simple & obviously wrong because it can't be this hard to insert a simple form into a CI page & i am just starting to get to grips with CI so its frustrating to be stuck on something like this. 


Thank you for any help with this

all the best

Alex3410
Reply

#2
I'm not seeing any reason why that won't work. Maybe the cookie config is not right. Can you show those $config settings too?
Reply

#3
Code:
$config['cookie_prefix']    = '';
$config['cookie_domain']    = '.mylocolist.com';
$config['cookie_path']        = '/';
$config['cookie_secure']    = FALSE;
$config['cookie_httponly']     = FALSE;


Thank you for your help with this
Reply

#4
When you use the form_open() helper of codeigniter and CSRF is enabled it will automatically add the hidden field with the CSRF code. 

No need to enter the whole ...
Code:
<form class="searchform" method="POST" action="<?php echo site_url('stock/search');?>">
[color=#333333][font=monospace]     <input type="text" class="searchbox" id="searchbox" name="searchTerm" placeholder="Search">[/font][/color]
[color=#333333][font=monospace]     <span class="searchbutton"><i class="fa fa-search"></i></span>[/font][/color]
     <input type="hidden" name="<?php echo $this->security->get_csrf_token_name();?>" value="<?php echo $this->security->get_csrf_hash();?>">

just use 
Code:
echo form_open(site_url('stock/search'));

echo "     <input type="text" class="searchbox" id="searchbox" name="searchTerm" placeholder="Search">

     <span class="searchbutton"><i class="fa fa-search"></i></span>";

or something along those lines.
This might not be your solution but could get rid of potential wrong csrf numbers
Reply

#5
PHP Code:
   <?php echo form_open(site_url('stock/search')); ?>

      <input type="text" class="searchbox" id="searchbox" name="searchTerm" placeholder="Search">


<?php echo form_close();?>


Gives the same error:
Quote:Invalid CSRF token.



I have noticed that if I get the above error and hit refresh I get:
Quote:An Error Was Encountered

The action you have requested is not allowed.


looking in the log file, i can't see anything to indicate whats going wrong:
Quote:INFO - 24-01-2018 15:06:43 --> Config Class Initialized
INFO - 24-01-2018 15:06:43 --> Hooks Class Initialized
DEBUG - 24-01-2018 15:06:43 --> UTF-8 Support Enabled
INFO - 24-01-2018 15:06:43 --> Utf8 Class Initialized
INFO - 24-01-2018 15:06:43 --> URI Class Initialized
INFO - 24-01-2018 15:06:43 --> Router Class Initialized
INFO - 24-01-2018 15:06:43 --> Output Class Initialized
INFO - 24-01-2018 15:06:43 --> Security Class Initialized
DEBUG - 24-01-2018 15:06:43 --> Global POST, GET and COOKIE data sanitized
INFO - 24-01-2018 15:06:43 --> CSRF cookie sent



Thank you for your help so far, it really has stumped me!
Reply

#6
It's good to test using form_open() and see that the problem persists. Your code for manually adding the hidden field looks perfectly valid to me so I would have been very surprised if form_open() did the trick.

All your $config values look solid too.

Are you using a standard http for the submit. Guess what I'm really asking is you're not using javascript to capture the submit event and posting via ajax or something are you?

Have you used the browser's web tool (or developer tool, or whatever) to look at what cookies are set, what the request headers look like, etc?
Reply

#7
it is just a standard page i am not using JS for the form at all. (its why I am so frustrated with it)

The cookies set are:
Name:
MLLCookieName  

Value:
d6f58cab651a4768600ee07f7a335b4b

Domain:
.mylocolist.com


Name:
PHPSESSID

Value:
34bd8t1eqmch09t53csk5pvdh7

Domain:
mylocolist.com



Edit:
If i set 
Code:
$config['csrf_regenerate'] = FALSE;
It always comes up with: Invalid CSRF token.

if i set it to TRUE then i get:
Invalid CSRF token.

but if i refresh the page (resubmitting the form) i get 

Code:
An Error Was Encountered
The action you have requested is not allowed.

And the value of MLLCookieName changes on each refresh 


any thoughts? 


Edit 2:
setting csrf_protection to FALSE or adding URL to csrf_exclude_uris also gives the error
Code:
Invalid CSRF token.
Reply

#8
When

PHP Code:
$config['csrf_regenerate'] = TRUE

It would be normal for the value of MLLCookieName to change after each POST request.
I'd say leave that config set to FALSE until it can be determined why things don't work.

The fact that you're still getting the error even after adding the URL to 'csrf_exclude_uris' is really suspicious.
According to the html you show that config should look like this

PHP Code:
$config['csrf_exclude_uris'] = array('stock/search'); 

If that's the setting (and that is the controller/method that actually handles the form)  then CSRF checking should be completely bypassed.
That makes me wonder if the "search" method is doing some kind of check on its own (it shouldn't be) or if there
is a "hook" that is messing about with the CSRF.

To the best of my knowledge there isn't any error message with the exact text "Invalid CSRF token" in the CI core. So that kind of points to some custom code.

Or, maybe an old version? What version are you working with?
Reply

#9
Quote:To the best of my knowledge there isn't any error message with the exact text "Invalid CSRF token" in the CI core. So that kind of points to some custom code. 

Your absolutely correct, I had integrated an off the shelf login system at the start of the project - after a lot of troubleshooting your comment pointed me in the right direction and it was this login system I was autoloading in via a custom library that was causing the conflict.

When I installed it I tested it but it didn't present an issue until now.

Removing it altogether solved the issue!

Thank you for your help with this I really do appreciate it - its always so obvious when you finally get to the bottom of it. A good learning experience I suppose  Tongue

What I need to do now is find a login/authentication system that works natively with CI.

Thank you again
Reply

#10
You can use either Community Auth or Ion Auth both are good with CodeIgniter.
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.