• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
CSRF error on login

#1
Hey guys, new guy here (first post) so I apologize if this is in the wrong place.

I've been building a web app using CI 3, and I've run into a kind of strange problem: on Microsoft Edge, I am getting the CSRF error page ("this action is not allowed" or whatever) whenever I try to login.  I didn't have this problem in development, but the production machine is on a different server.  I just checked my app/config/config.php, and my CSRF settings are exactly the same on both.  They are:

$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'my_token_goes_here';
$config['csrf_cookie_name'] = 'csrf';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = FALSE;
$config['csrf_exclude_uris'] = array();

So this doesn't make a whole lot of sense.  It's definitely not CSRF - I am logging in from the app, not a script - but for some reason CI thinks it is.  Maybe Edge does something wonky with cookies?

Thanks in advance.  Smile
Reply

#2
@mfox,

There could be many reasons. Some questions?
Are the PHP versions the same?
Did you go from Unix/Linux to Windows Server?
Exactly what version of CI are you using?
Can you show the code where the error actually happens?
Reply

#3
Hey php_rocs (btw love the nickname - yes, PHP rocks! lol),

To answer your very good questions:
1. Yes. Both are running version 5.4.16
2. No. Both are Linux servers (though the production server is in Azure - maybe that's part of it?)
3. 3.2.0-dev (kinda surprised it has "-dev" on the end - it was supposedly the latest stable version when I installed it). This is consistent across both servers.
4. I would be glad to... if I knew where it was coming from. Something somewhere in CI's guts is throwing the error; I never call anything CSRF-related apart from the config setup I already gave. And nothing is logged (so no stack trace or anything like that). But that actually gives me an idea; maybe if I increase the logging level to include debug and info messages, it would show me where the error is being thrown.

Anyway thanks for the suggestions! I actually learned a bit having to Google all these answers (lol), and I'm sure they'll come in handy for future projects. But for now, does any of this help? Smile
Reply

#4
@mfox
Yes, these answers help.

1. You do know that PHP 5.4.16 is already EOL (End Of Life-DEC 2015). You should at least be 5.6.x
2. While there are differences I'm not sure if it impacts this situation (I doubt it).
3. The current Production version of CI is 3.1.9 ( I absolutely would not run 3.2.0-dev as Production).
4. What Controller runs your log in page? You should also be able to check your CI logs for errors.

Are you sure that you implemented CSRF correctly? If you are new to CI then this may be the issue. This is where the code would be helpful.
Reply

#5
@mfox
Here is the documentation for the CI CSRF: https://codeigniter.com/user_guide/libra...rgery-csrf
Reply

#6
1) Internet Options
2) Privacy Tab
3) Advanced button

Check your cookie settings.

F12 Browser Developer Tools network tab will show you whats going on.
What did you Try? What did you Get? What did you Expect?

Joined the CodeIgniter Community in 2009.          ( Skype: insitfx )
Reply

#7
@php_rocs:
Thanks for the info on the versions. I have downloaded version 3.1.9 and will ask my sysadmin to upgrade our PHP version (on our dev server first of course Smile). I knew PHP 4 had reached its end-of-life but not any versions of PHP 5. But I knew they were up to version 7 (just checked on PHP.net and the latest stable release is v7.2.6) so I should probably get that upgraded anyway.

Now if you think it should be logging something, I will try changing the logging settings to log info and debug messages. In fact, I think you hit the nail on the head with logging. Maybe I can throw in a bunch of log_message calls throughout the code and see what comes out. Smile

And yes, I'm sure I did everything that was in the documentation; if there is some step that's NOT in the documentation, I haven't done that (not meaning to sound rude - just saying that cuz I've actually seen frameworks that leave out important details in their docs). Is there something about the CSRF protection feature that isn't there, that I should know about?

@InsiteFX:
Thanks for the suggestion. I couldn't find "internet options" (Isn't that an IE menu?) but I did check my cookie settings and they are not blocked. That was the only setting that I could find (to block or not to block, that is the question Smile ).

Now as far as the F12 developer tools are concerned, what specifically should I be looking for? The only new info I found there is that the response code is 403 Forbidden. The CSRF cookie is there, and the response text is just the HTML of the error page.

@both: Thanks for all your ideas, questions and suggestions! I really appreciate the help.
Reply

#8
You will find the Internet Options in the Windows Control Panel.
What did you Try? What did you Get? What did you Expect?

Joined the CodeIgniter Community in 2009.          ( Skype: insitfx )
Reply

#9
ahhh okay, gotcha. I wouldn't have thought to look there (but I guess that's Microsoft for ya, lol). I have both first-party and third-party cookies set to "accept", and "always allow session cookies" is checked. Could there be another setting involved? The app works great in Firefox, Chrome and mobile Safari, but I get the CSRF error with Edge and (I just found out) IE. So this feels less like a server-side problem and more a browser problem. I could be wrong, but that seems to make the most sense right now.

Either way, your ideas have given me a few leads I'm going to work on:
1. I put in a ticket for a PHP upgrade.
2. I'll be setting up our app to use CI 3.1.9
3. I'll be increasing the logging level to see if that generates something useful.
4. If it doesn't, I'll add a bunch of extra logging to the login code and see if that helps.
Reply

#10
My hosting provider ( WebHostingBuzz ) gives me a dropdown so that I can choose
any version of PHP that I want.
What did you Try? What did you Get? What did you Expect?

Joined the CodeIgniter Community in 2009.          ( Skype: insitfx )
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2018 MyBB Group.