Welcome Guest, Not a member yet? Register   Sign In
Setting $cookieSecure = true;
#1

(This post was last modified: 02-20-2019, 10:53 PM by donpwinston.)

When I set $cookieSecure = true; in Config/App.php and submit a form I get the following error:

BASEPATH/Security/Security.php at line 193
PHP Code:
186         }
187 
188         
// Do the tokens exist in both the _POST and _COOKIE arrays?
189         if ( ! isset($_POST[$this->CSRFTokenName], $_COOKIE[$this->CSRFCookieName])
190              || $_POST[$this->CSRFTokenName] !== $_COOKIE[$this->CSRFCookieName]
191         // Do the tokens match?
192         {
193             throw new \LogicException('The action you requested is not allowed'403);
194         }
195 
196         
// We kill this since we're done and we don't want to pollute the _POST array
197         unset($_POST[$this->CSRFTokenName]);
198 
199         
// Regenerate on every submission?
200         if ($this->CSRFRegenerate

My form uses the csrf function to create a token. Why is that a problem?
Simpler is always better
Reply
#2

so you got thrown a LogicException ?

can you provide the part of code that creates your form ( or open the form )
Reply
#3

(02-22-2019, 03:14 AM)puschie Wrote: so you got thrown a LogicException ?

can you provide the part of code that creates your form ( or open the form )

This is the view that creates the form. If I set set $cookieSecure = false; it works fine.
PHP Code:
<main class="usa-grid usa-section usa-content usa-layout-docs" id="main-content">

<
div class="bnc-progress-bar">
 
 <div class="bnc-progress-bar-color" style="width:20%"></div>
</
div>

<
form action="/register/computer_agreement" method="post">
<?= 
csrf_field() ?>
<h3>I want to:</h3>

<fieldset class="usa-fieldset-inputs usa-sans">

  <legend class="usa-sr-only">Computer Receive Method</legend>

  <ul class="usa-unstyled-list">
    <li>
      <?php if ($session->computer_receive_method == null) : ?>
      <input id="method_1" type="radio" name="computer_receive_method" value="1" checked>
      <?php else : ?>
      <input id="method_1" type="radio" <?= bnc_set_value('computer_receive_method'$session->computer_receive_method) == 'checked' ''?> name="computer_receive_method" value="1">
      <?php endif; ?>
      <label for="method_1">Receive notices via Email with XML data and PDF copy of notice (Recommended)
          <span class="tooltip"><img src="/assets/img/alerts/info.png" height="15" width="15" alt="info"> <span class="tooltiptext">Email of a PDF file with case data embedded in XML tags is the single most complete method for a computer program to extract data from the notices and process it for you account management system. Further information can be found in the "Technical Documentation" section of the "Resources" menu.</span></span></label>
    </li>
    <li>
      <input id="method_2" type="radio" <?= bnc_set_value('computer_receive_method'$session->computer_receive_method) == 'checked' ''?> name="computer_receive_method" value="2">
      <label for="method_2">Receive First meeting, discharge, notice of assets and dismissal notices via EDI; receive other notices via email (Requires approval prior to sign up)
          <span class="tooltip"><img src="/assets/img/alerts/info.png" height="15" width="15" alt="info"> <span class="tooltiptext">EDI noticing is for recipients with legacy systems that process data in this format. Only a limited set of notice types are sent via EDI. The rest of the notices are sent via email with embedded XML tags. Further information can be found in the "Technical Documentation" section of the "Resources" menu.</span></span></label>
    </li>
  </ul>

</fieldset>
<button type="button" class="back-button" onclick="history.go(-1);">Back</button>
<input type="submit" class="next-button" name="submitted" value="Next">
</form>
</main> 
Simpler is always better
Reply
#4

your form looks valid to me

another reason could be the access type
-> secure cookie only works in https requests

so for http you need to disable secure cookie ( or disable http access with $forceGlobalSecureRequests

this is handled in CodeIgniter\Security\Security:241 ( CSRFSetCookie )
Reply
#5

"another reason could be the access type
-> secure cookie only works in https requests"

I'm using http in development so that could be why. Also looks like the code has changed with the more recent releases.

Thanks.
Simpler is always better
Reply




Theme © iAndrew 2016 - Forum software by © MyBB