Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums CodeIgniter 4 CodeIgniter 4 Support Issues with CSRF in CI4 tutorial
Issues with CSRF in CI4 tutorial
  • Offline joho
    CI noob
  • ***
  • Posts: 78
    Threads: 25
    Joined: Mar 2023
    Reputation: 2
#1
03-31-2023, 02:48 AM

So, when I hit "Create new item" in the tutorial, CI throws an exception error due to, I guess, missing/invalid CSRF information.
Just to get a grip of what was actually generated, I put this in create.php:
Code:
<h2><?= esc($title) ?></h2>
<?= session()->getFlashdata('error') ?>
<?= validation_list_errors() ?>

<hr/>
<p>COOKIE</p>
<?php echo var_export($_COOKIE, true); ?>
<hr/>
<p>SESSION</p>
<?php echo var_export($_SESSION, true); ?>
<hr/>
<p>CSRF</p>
<p>Token name: <?= csrf_token(); ?></p>
<p>Token hash: <?= csrf_hash(); ?></p>
<p>Token field<pre><?= esc(csrf_field()); ?></pre></p>
<p>Token meta<pre><?= esc(csrf_meta()); ?></pre></p>
<hr/>

<form action="create" method="post">
    <?= csrf_field() ?>
    <label for="title">Title</label>
    <input type="input" name="title" value="<?= set_value('title') ?>">
    <br>
    <label for="body">Text</label>
    <textarea name="body" cols="45" rows="4"><?= set_value('body') ?></textarea>
    <br>
    <input type="submit" name="submit" value="Create news item">
</form>
The output looks like this:

Code:
COOKIE
array ( 'ltest2_csrf_cookie' => 'a9a4c863be8f4c0877ee68f440027a77', 'LTEST2' => 'p7654lf4mjbtuafpgbpite5lmeed51qt', )
SESSION
array ( '__ci_last_regenerate' => 1680255478, '_ci_previous_url' => 'https://myhostname.com/ltest2/index.php/news/create', )
CSRF
Token name: ltest2_csrf_token_name
Token hash: a9a4c863be8f4c0877ee68f440027a77
Token field <input type="hidden" name="ltest2_csrf_token_name" value="a9a4c863be8f4c0877ee68f440027a77">
Token meta <meta name="X-CSRF-TOKEN" content="a9a4c863be8f4c0877ee68f440027a77">

[..]

I cannot for the life of me figure out why it generates a "CodeIgniter\Security\Exceptions\SecurityException #403 (The action you requested is not allowed)".
Within the <form></form> data on the page, there's a correct hidden input field like this:
Code:
<input type="hidden" name="ltest2_csrf_token_name" value="a9a4c863be8f4c0877ee68f440027a77">
So that seems to add up ...
The exception points to this block in Security.php:
Code:
304        // Do the tokens match?
305        if (! isset($token, $this->hash) || ! hash_equals($this->hash, $token)) {
306            throw SecurityException::forDisallowedAction();
307        }

What did I miss? Could this have something to do with URL validation, index.php handling, or something else?

-joho
Reply
  • Offline kenjis
    Administrator
  • *******
  • Posts: 3,249
    Threads: 90
    Joined: Oct 2014
    Reputation: 205
#2
04-01-2023, 04:46 AM

It seems your code is okay. So I don't know why you got the CSRF error.

Try this: https://github.com/kenjis/ci4-news
ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper
Reply
  • Offline joho
    CI noob
  • ***
  • Posts: 78
    Threads: 25
    Joined: Mar 2023
    Reputation: 2
#3
04-03-2023, 04:00 AM
(This post was last modified: 04-03-2023, 04:11 AM by joho. Edit Reason: Formatting )

I've checked "my" code against the code at the URL you prevented, and I can't see any differences.

Could this have something to do with these settings in .env? Do I need to modify them elsewhere to match this perhaps?

Code:
security.csrfProtection = 'cookie'
security.tokenRandomize = false
security.tokenName = 'ltest2_csrf_token_name'
security.headerName = 'X-CSRF-TOKEN'
security.cookieName = 'ltest2_csrf_cookie'
security.expires = 7200

Or, could it have something to do with me using https://my.host.name/sub-directory/ for the tutorial?
OK. Found it. Duh!

Apparently, PHP does not mind if you enter a pool configuration value as "MB" instead of "M", it just silently ignores it and sets it to zero. So I had post_max_size set to 10MB instead of 10M, so no post data was getting through at all. This became obvious when checking the PHP error log file.

So, my bad, all is well for now :-)
Reply
  • Offline luckmoshy
    Do Codeigniter before do you!
  • ***
  • Posts: 248
    Threads: 51
    Joined: Nov 2020
    Reputation: 7
#4
04-03-2023, 07:51 AM
(This post was last modified: 04-03-2023, 08:05 AM by luckmoshy.)

(04-01-2023, 04:46 AM)kenjis Wrote: It seems your code is okay. So I don't know why you got the CSRF error.

Try this: https://github.com/kenjis/ci4-news


@kenjis it looks like CI4.3+ has a CSRF problem as he has said this has happened for me also but only in CI 4.3.1+

For example, if one sends a form post and you try to repeat  instead of firing the message =
Code:
The action you requested is not allowed

it does Exceptions=
PHP Code:
"CodeIgniter\Security\Exceptions\SecurityException #403 (The action you requested is not allowed)".) 
Codeigniter First, Codeigniter Then You!!
yekrinaDigitals

Reply
  • Offline joho
    CI noob
  • ***
  • Posts: 78
    Threads: 25
    Joined: Mar 2023
    Reputation: 2
#5
04-04-2023, 12:08 AM

(04-03-2023, 07:51 AM)luckmoshy Wrote: For example, if one sends a form post and you try to repeat  instead of firing the message =
Code:
The action you requested is not allowed

it does Exceptions=
PHP Code:
"CodeIgniter\Security\Exceptions\SecurityException #403 (The action you requested is not allowed)".) 

But isn't this a setting in CI, that it should throw exceptions instead of printing/displaying errors?
Reply




Theme © iAndrew 2016 - Forum software by © MyBB