• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
form_open helper can't generate https: action link?

#1
CI 3.x.  I want to use CI helper form_open() to generate a simple login form because it can do anti-csrf automagically.    Looking at the first step:

    <?php echo form_open("foo/fum");?>
  ...

But the generated code specifying the action

    <form action="http://www.example.com/foo/fum" method="post" accept-charset="utf-8">
  ...

is flagged by SSL checker missingpadlock.com as insecure -- currently the only flaw on my almost-ready-to-deploy site.  I think this should be

      <form action="https://www.example.com/foo/fum" method="post" accept-charset="utf-8">
  ...

but I cannot see a way tell the helper to prefix 'https:'.  Obvious workaround: don't use form_open(), just straight PHP code to generate the form, but this means learning how to explicitly generate the anti-csrf function -- which I don't feel qualified to do -- or not using it.

Am I missing something incredibly obvious?  It's very possible...

Meta-question: The  site's security needs are minimal: login and logged-in users can change their own password and view restricted material -- that's all. I'm using a standard auth package which incorporates anti-brute-force.  Maybe I don't need anti-csrf.  How would I decide?

TIA
Reply

#2
What is the value you have assigned $config['base_url']? It should include the protocol and should look something like

PHP Code:
    $config['base_url'] = 'https://example.com/';  //note the trailing slash 

And yes, you need CSRF protection. It's best to use this too.

PHP Code:
$config['csrf_regenerate'] = TRUE
Reply

#3
Thanks very much!   That's what I needed to know!

--closed--
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.