Change default page for csrf error |
Where to change default page for "this action is not allowed" which is caused by csrf token expired?
@anthos1984,
There is no default page for "this action is not allowed". It is an error message. It may use one of the default error pages in the /application/views/errors directory.
If you examine the execution path as designed you find...
If the CSRF is not valid
So, one way to get what you want would be to extend CI_Securtity and redefine the method csrf_show_error(). Something along these (untested) lines. PHP Code: class MY_Security extends CI_Security Basically what happens above is you bypass the common function and go straight to the CI_Exceptions class passing the name of your custom view - which I call "csrf_error". You need to create the view file /application/views/errors/html/csrf_error.php that meets your objectives.
(07-26-2018, 04:09 PM)dave friend Wrote: So, one way to get what you want would be to extend CI_Securtity and redefine the method csrf_show_error(). Something along these (untested) lines. Wow, thanks. I will try that
(07-26-2018, 04:09 PM)dave friend Wrote: If you examine the execution path as designed you find... Yes, indeed, that is what I was thinking about, but then somehow you should force the system to load your Security class instead of standard security class. And how to do that? I mean that $this->security->somefunction() must call your new instantiated My_Security class which variable/instance must have name $security. How to do that without hacking the framework? This string instantiates this class: $SEC =& load_class('Security', 'core'); With hacking the framework we can rename the original class into Security_original and then create our class called Security extends Security_original, and this class will contain the functions which in case of CSRF attack will (for example) load page with logging asking to relogin again. |
Welcome Guest, Not a member yet? Register Sign In |