Welcome Guest, Not a member yet? Register   Sign In
csrf token and cookie

I am having a challenge implementing csrf protection on two projects based on CI 3.x.  As far as I know, my code is not unconventional.  Submission of any form results in:
PHP Code:
An Error Was Encountered

The action you have requested is not allowed

I have looked at numerous solutions to such a problem posted on the web
  • I am using form_open() as required for CI to automatically insert the csrf token;
  • config elements for crsf and cookies meet the requirements
Here are portions of config.php:
PHP Code:
$config['base_url'] = 'http://betasite.lh.com/';

Session Variables:
$config['sess_driver']            = 'database';
$config['sess_cookie_name']        = 'ci_session';
$config['sess_expiration']        = 7200;
$config['sess_save_path']        = 'ci_sessions';
$config['sess_match_ip']        = FALSE;
$config['sess_time_to_update']         = 300;
$config['sess_regenerate_destroy']    = FALSE;

Cookie Related Variables:
$config['cookie_prefix']    '';
$config['cookie_domain']    '.betasite.lh.com';
$config['cookie_path']      '/';
$config['cookie_secure']    FALSE;
$config['cookie_httponly' FALSE;

Cross Site Request Forgery:
$config['csrf_protection'  TRUE;
$config['csrf_token_name'  'csrftoken';
$config['csrf_cookie_name' 'csrfcookie';
$config['csrf_expire'      7200;
$config['csrf_regenerate'  TRUE;
$config['csrf_exclude_uris'] = array(); 
What is the process of generating the token, setting it in a cookie and posting it in the hidden field in a form?  Logically, is it?:

  1. generate token
  2. save it to cookie
  3. read token from cookie into $this->crsf_hash
  4. place token in form so it appears in $_POST at time of form submission
I ask because stepping through the code with xdebug I am seeing inconsistencies.  Running a log-in without debugging and it will always fail.  On some occasions - maybe 1 out of 8 - if I step through function csrf_verify (Security.php, version CI 3.1.6) the verification passes for the hash in the cookie and the value in $_POST match.  The log-in completes as it should.

Since `$config['csrf_regenerate']  = TRUE;` is it necessary to set the csrf cookie in the controller for my application?

Thank you for taking the time to read this.

The CSRF mechanism typically requires no intervention on your part. If you do go about messing with the csrf cookie you're likely to make matters worse.

As you know, when using

PHP Code:
$config['csrf_regenerate'] = TRUE

The CSRF cookie is set with a new hash value every time a POST request is made to the server. GET requests do not check the CSRF credentials and do not regenerate the CSRF hash.

Why is typically underlined above? No intervention is needed if you're doing straight up http form processing ie. - the browser:
  1. Requests a page that shows form
  2. Posts via form's "action" attribute
  3. Action method loads a view (possibly due to a redirect)

On the other hand, if you're using AJAX to make POST requests. Recall that each POST results in a new CSRF hash. If you don't supply the new hash to the currently loaded page the next POST will fail during csrf_verify().  

The intervention required amounts to passing the new credentials back to the AJAX handler and incorporating that info into the next POST request. Incorporating the credentials can be done by either updating the value of the hidden CSRF field or by manipulating the data the AJAX request will send.

Is there any AJAX involved in your implementation?

If not and if you have not added any code trying to outsmart the CSRF implementation then it's hard to offer more advice without seeing the relevant controller and view code.

Theme © iAndrew 2016 - Forum software by © MyBB