Codeigniter CSRF Token Problem

Question

Codeigniter CSRF Token Problem

I made a simple registration / mailing site, but I have a strange problem. Some people get an error message.

An error has been detected. The action you requested is not allowed.

I already tried Google and found that people have the same problem when CSRF is set to true. However, I do not meet everyone, just a small group of people. I use form_open and form_close and I see a hidden field (token).

I am using the latest version of Codeigniter 2.0.2

This is my controller

function __construct() { parent::__construct(); session_start(); } function index() { $this->load->model('beta_signup_model'); $this->form_validation->set_rules('mail','e-mail','required|valid_email|xss_clean|callback__mail_check'); // Check for errors if($this->form_validation->run() == FALSE) { // The system found a form validation error } else { // No errors found $_SESSION['mail_success'] = 1; $_SESSION['mail'] = $this->input->post('mail'); redirect(base_url() . 'confirm'); } ///// FILLS OUT INPUT FIELDS ///// // Loads field_populator_helper $this->load->helper('field_populator_helper'); // Defines input field names $input_names = array( 'mail', ); // Defines default values $default_values = array( 'Skriv inn e-posten din..', ); // Auto-populates fields with blur and focus $data['field_populator'] = populateFields($input_names, $default_values); $this->load->view('frontpage_view', $data); }

+7

php frameworks codeigniter token

Dexty Jul 05 '11 at 10:51

source share

6 answers

Jonob · Answer 1 · 2011-12-15T20:31:21+0000

This can help change your 'sess_cookie_name' in config.php to make sure there are no spaces or underscores.

 $config['sess_cookie_name'] = 'mycookiename';

Knud potente · Answer 2 · 2012-03-13T00:08:07+0000

I had the same problem: a completely clean installation of CI 2.1.0, on MAMP and just follow the instructions in the User Guide.

After much searching and googling, I found that in 'application / config.php' the variable $ config ['cookie_prefix'] should always be empty, otherwise, if CSRF protection is enabled, this error will occur.

It is possible that there are other problems, that is, the session library, XSS encryption or protection, etc., but just leaving the cookie_prefix empty seems to sort it out for me.

I hope this helps others.

patwork · Answer 3 · 2011-07-07T12:33:05+0000

CSRF is valid when the token from the hidden field matches the token from the cookie. Check four things:

Do not use your own php sessions (session_start, etc.). Switch to the session class in CI. http://codeigniter.com/user_guide/libraries/sessions.html
Check cookie configuration in /application/config/config.php
Check the value of the token in your form, is it different from each page?
Maybe try downloading the current version of CI from https://bitbucket.org/ellislab/codeigniter-reactor/downloads

Rooneyl · Answer 4 · 2011-11-21T11:08:19+0000

I use my own csrf helper because I found that setting the parameter in config to true causes chaos with my ajax calls.

I use * xsrf_get_token_field () * to generate the field and * xsrf_check_token () * as a custom callback in my form validation.

<

 ?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); if ( ! function_exists('xsrf_get_token')) { /** * Get XSRF Token * * Returns a token that exists for one request that verifies that * the action was executed by the person that requested it * * @return string */ function xsrf_get_token() { $ci =& get_instance(); if ($ci->session->userdata('xsrf_hash')) { $token = $ci->session->userdata('xsrf_hash'); } else { // Generate the token $token = sha1(microtime().$ci->uri->uri_string()); // Set it in the session $ci->session->set_userdata('xsrf_hash', $token); } //Return it return $token; } } if ( ! function_exists('xsrf_get_token_field')) { /** * Get XSRF Token Field * * Returns an xhtml form element to include xsrf token. * You can specify the id/name attribute of the input. * Has a dependancy to get_xsrf_token(). * * @param string The id/name to be used * @return string */ function xsrf_get_token_field($name='auth_token') { return '<input type="hidden" id="'.$name.'" name="'.$name.'" value="' .xsrf_get_token(). '" />'; } } if ( ! function_exists('xsrf_delete_token')) { /** * Delete XSRF Token * * Deletes the xsrf token * * @return boolean */ function xsrf_delete_token() { $ci =& get_instance(); if ($ci->session->userdata('xsrf_hash')) { $ci->session->unset_userdata('xsrf_hash'); return TRUE; } else { return FALSE; } } } if ( ! function_exists('xsrf_check_token')) { /** * Get XSRF Token Field * * Checks that the token is still valid, returns true if so. * Deletes old token after valid or fail. * Has a dependacy to xsrf_delete_token() * * @param string The challenge token * @return boolean */ function xsrf_check_token($challenge_token) { // CI $ci =& get_instance(); // Get the stored token $token = $ci->session->userdata('xsrf_hash'); // Delete the old token xsrf_delete_token(); // Returns if the token is the right token return ($token == $challenge_token); } }

abhishek prasad · Answer 5 · 2014-05-08T07:41:28+0000

You need to update the basic security files or just take the csrf code from the current version of the codeigniter codeigniter core secuirty file .
You can use ajax like: var cct = $("input[name=csrf_test_name]").val(); $.post(site_url + "user/update_product", { product_id: id , 'csrf_test_name': cct}) var cct = $("input[name=csrf_test_name]").val(); $.post(site_url + "user/update_product", { product_id: id , 'csrf_test_name': cct})
Codeigniter CSRF does not regenerate the token when the page is refreshed. It will only regenerate on a post not on get. Security testers found this to be a vulnerability. If any person got a solution for this, please share it, it will be useful for everyone.

Samuel gray · Answer 6 · 2015-06-16T11:09:27+0000

For those using Codeigniter 3.0, you can do the following:

Edit

 $config['csrf_regenerate'] = TRUE;

to

 $config['csrf_regenerate'] = FALSE;

This stops the CSRF tokens that are regenerated in each view.

Codeigniter CSRF Token Problem

More articles: