CSRF token problem with CodeIgniter
Asked Answered
A

2

8

I am having a very weird CSRF protection problem in CodeIgniter. I have made sure that I use form_open to start my form, csrf_protection is set to true in the config file, and I have also made sure that the hidden csrf name and value fields match the csrf cookie as seen here: http://d.pr/3cfB.

What happens is that when I submit the form, I get "An Error Was Encountered. The action you have requested is not allowed." error and am not sure why. The form works fine when I turn the csrf_protection off.

What's even weirder is that I use tank_auth library for my authentication and it also uses form_open for the login form. I did check to make sure that there is a hidden csrf field in the login form when csrf_protection is on and I was able to submit the form and log in with no problem.

Thoughts on what I can do to debug this problem?

Antemortem answered 20/3, 2011 at 6:21 Comment(0)
A
1

I found the problem. In one of my custom libraries I have parent::_sanitize_globals() which apparently was what's causing the error. I read somewhere that if I have xss filtering turned on, I don't need to do sanitize global.

Antemortem answered 20/3, 2011 at 17:14 Comment(0)
R
2

To begin with, the session class is expecting a token named 'csrf_token_name', not one named 'csrf_salemarked_token$...'.

This blog post covers AJAX with CSRF Protection in Codeigniter 2.0.

Tank_auth is getting the token from the hidden input form field, rather than the cookie. Your AJAX requests need to get the token from the hidden field if available, or the cookie if there is no form.

Resinous answered 20/3, 2011 at 14:44 Comment(2)
hmmm, i am not sure i agree with you on this. a few things - first, csrf_token_name is a part of the CI config - d.pr/lQHG, so 'csrf_salemarked_token$...' was the name of the token. second, i am not trying to do any ajax form submission. third, i created my form the same way tank_auth created its form, i have double checked and both forms have a hidden input with the csrf token name and value.Antemortem
woof... you're right about the token name. somehow I didn't migrate the new config file when I upgradedResinous
A
1

I found the problem. In one of my custom libraries I have parent::_sanitize_globals() which apparently was what's causing the error. I read somewhere that if I have xss filtering turned on, I don't need to do sanitize global.

Antemortem answered 20/3, 2011 at 17:14 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.