Welcome Guest, Not a member yet? Register   Sign In
Change default page for csrf error
#1

Where to change default page for "this action is not allowed" which is caused by csrf token expired?
Reply
#2

@anthos1984,

There is no default page for "this action is not allowed". It is an error message. It may use one of the default error pages in the /application/views/errors directory.
Reply
#3

If you examine the execution path as designed you find...

If the CSRF is not valid
  1. CI_Securtity::csrf_show_error() is called
  2. From there the common function show_error($message, $status_code) is called with $message='The action you have requested is not allowed.' and $status_code = 403
  3. show_error() sets $heading='An Error Was Encountered', then loads the CI_Exceptions class and calls CI_Exceptions:: show_error($heading, $message, 'error_general', $status_code)
  4. CI_Exceptions:: show_error() uses the file /application/views/errors/html/errors_general.php for the view which echos $heading and $message
whew!

So, one way to get what you want would be to extend CI_Securtity and redefine the method csrf_show_error(). Something along these (untested) lines.

PHP Code:
class MY_Security extends CI_Security
{
 public function 
csrf_show_error()
 {
 
$heading "Be gone fool!";
 
$message "You shall not pass!";

 
$_error = & load_class('Exceptions''core');
 echo 
$_error->show_error($heading$message'csrf_error'403);
 exit;
 }


Basically what happens above is you bypass the common function and go straight to the CI_Exceptions class passing the name of your custom view - which I call "csrf_error".

You need to create the view file /application/views/errors/html/csrf_error.php that meets your objectives.
Reply
#4

(07-26-2018, 04:09 PM)dave friend Wrote: So, one way to get what you want would be to extend CI_Securtity and redefine the method csrf_show_error(). Something along these (untested) lines.

PHP Code:
class MY_Security extends CI_Security
{
 public function 
csrf_show_error()
 {
 
$heading "Be gone fool!";
 
$message "You shall not pass!";

 
$_error = & load_class('Exceptions''core');
 echo 
$_error->show_error($heading$message'csrf_error'403);
 exit;
 }


Basically what happens above is you bypass the common function and go straight to the CI_Exceptions class passing the name of your custom view - which I call "csrf_error".

You need to create the view file /application/views/errors/html/csrf_error.php that meets your objectives.

Wow, thanks. I will try that
Reply
#5

(This post was last modified: 08-18-2020, 12:42 PM by Ivankvkharkiv.)

(07-26-2018, 04:09 PM)dave friend Wrote: If you examine the execution path as designed you find...

If the CSRF is not valid
  1. CI_Securtity::csrf_show_error() is called
  2. From there the common function show_error($message, $status_code) is called with $message='The action you have requested is not allowed.' and $status_code = 403
  3. show_error() sets $heading='An Error Was Encountered', then loads the CI_Exceptions class and calls CI_Exceptions:: show_error($heading, $message, 'error_general', $status_code)
  4. CI_Exceptions:: show_error() uses the file /application/views/errors/html/errors_general.php for the view which echos $heading and $message
whew!

So, one way to get what you want would be to extend CI_Securtity and redefine the method csrf_show_error(). Something along these (untested) lines.

PHP Code:
class MY_Security extends CI_Security
{
 public function 
csrf_show_error()
 {
 
$heading "Be gone fool!";
 
$message "You shall not pass!";

 
$_error = & load_class('Exceptions''core');
 echo 
$_error->show_error($heading$message'csrf_error'403);
 exit;
 }


Basically what happens above is you bypass the common function and go straight to the CI_Exceptions class passing the name of your custom view - which I call "csrf_error".

You need to create the view file /application/views/errors/html/csrf_error.php that meets your objectives.


Yes, indeed, that is what I was thinking about, but then somehow you should force the system to load your Security class instead of standard security class. And how to do that? I mean that $this->security->somefunction() must call your new instantiated My_Security class which variable/instance must have name $security. How to do that without hacking the framework? This string instantiates this class: $SEC =& load_class('Security', 'core'); With hacking the framework we can rename the original class into Security_original and then create our class called Security extends Security_original, and this class will contain the functions which in case of CSRF attack will (for example) load page with logging asking to relogin again.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB