Welcome Guest, Not a member yet? Register   Sign In
CSRF Protection Problem
#1

(This post was last modified: 01-18-2022, 04:13 PM by donpwinston.)

I get the following error message in the session using the debug toolbar:
error                  The action you have requested is not allowed.

When I comment out the csrf entry in app/Config/Filters.php The problem goes away. (I can't submit post requests)
What is causing this not to work?
I've got the following in .env
Code:
app.baseURL = 'https://noticestest.uscourts.gov/'
app.forceGlobalSecureRequests = false
app.indexPage = ''
# app.sessionDriver = 'CodeIgniter\Session\Handlers\FileHandler'
# app.sessionCookieName = 'ci_session'
# app.sessionExpiration = 7200
# app.sessionSavePath = null
# app.sessionMatchIP = false
app.sessionTimeToUpdate = 0
#app.sessionRegenerateDestroy = true
app.CSPEnabled = true
app.appTimezone = 'America/New_York'

cookie.secure = true
security.csrfProtection = 'session'
Simpler is always better
Reply
#2

(This post was last modified: 01-18-2022, 04:46 PM by kenjis.)

It shows CSRF Protection worked.
That is posted CSRF token and the token in the session do not match.
Reply
#3

(This post was last modified: 01-18-2022, 05:28 PM by donpwinston.)

I tried to add the following . I think the default names are messed up for example the csrf token name was csrf_test_token for some reason:

security.tokenName = 'csrf_token_name'
security.cookieName = 'csrf_cookie_name'

I'm using version 4.1.4

It still doesn't work.
Simpler is always better
Reply
#4

security.csrfProtection = 'session'
can be used in 4.1.5 and later.
https://codeigniter4.github.io/userguide...hancements
Reply
#5

(01-18-2022, 05:25 PM)kenjis Wrote: security.csrfProtection = 'session'
can be used in 4.1.5 and later.
https://codeigniter4.github.io/userguide...hancements

ok I saw that in the Security.php code. No session anywhere in 4.1.4. But that's not why it doesn't work. It is just ignoring that property.
Simpler is always better
Reply
#6

Yes, it is just ignored in 4.1.4. You are using Cookie based CSRF protection.

4.1.4 has vulnerability, so I recommend you upgrade CI.
https://github.com/codeigniter4/CodeIgni...-wj64-mc9x
Reply
#7

I did upgrade to 4.1.7. Everything appears to work now. It worked occasionally with 4.1.4 which drove me nuts. I have another app that is still 4.1.4 and that uses csrf too. I haven't experienced this kind of problem with that app. The major difference is that it doesn't use CSP. But turning that off didn't help the problem.
Simpler is always better
Reply
#8

(This post was last modified: 01-19-2022, 12:44 AM by kenjis.)

Do you still have the problem in 4.1.4?
If so, check the posted CSRF token value and CSRF Cookie value.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB