CSRF Protection Problem |
I get the following error message in the session using the debug toolbar:
error The action you have requested is not allowed. When I comment out the csrf entry in app/Config/Filters.php The problem goes away. (I can't submit post requests) What is causing this not to work? I've got the following in .env Code: app.baseURL = 'https://noticestest.uscourts.gov/'
Simpler is always better
It shows CSRF Protection worked.
That is posted CSRF token and the token in the session do not match.
I tried to add the following . I think the default names are messed up for example the csrf token name was csrf_test_token for some reason:
security.tokenName = 'csrf_token_name' security.cookieName = 'csrf_cookie_name' I'm using version 4.1.4 It still doesn't work.
Simpler is always better
security.csrfProtection = 'session'
can be used in 4.1.5 and later. https://codeigniter4.github.io/userguide...hancements
(01-18-2022, 05:25 PM)kenjis Wrote: security.csrfProtection = 'session' ok I saw that in the Security.php code. No session anywhere in 4.1.4. But that's not why it doesn't work. It is just ignoring that property.
Simpler is always better
Yes, it is just ignored in 4.1.4. You are using Cookie based CSRF protection.
4.1.4 has vulnerability, so I recommend you upgrade CI. https://github.com/codeigniter4/CodeIgni...-wj64-mc9x
I did upgrade to 4.1.7. Everything appears to work now. It worked occasionally with 4.1.4 which drove me nuts. I have another app that is still 4.1.4 and that uses csrf too. I haven't experienced this kind of problem with that app. The major difference is that it doesn't use CSP. But turning that off didn't help the problem.
Simpler is always better
Do you still have the problem in 4.1.4?
If so, check the posted CSRF token value and CSRF Cookie value. |
Welcome Guest, Not a member yet? Register Sign In |