Codeigniter CSRF token problem

Question

I've made a simple signup/newsletter site, but I've got a weird problem. Some people get a error that says

An Error Was Encountered The action you have requested is not allowed.

I've already tried google and found that people had the same problem when CSRF was set to true. However, i doesn't happens to everyone, just a small group of people. I'm using form_open and form_close and i can see the hidden field (token).

I'm using the latest version of Codeigniter 2.0.2

This is my controller

    function __construct() {
    parent::__construct();
    session_start();
}

function index() {

    $this->load->model('beta_signup_model');

    $this->form_validation->set_rules('mail','e-mail','required|valid_email|xss_clean|callback__mail_check');

    // Check for errors
    if($this->form_validation->run() == FALSE) {

        // The system found a form validation error


    } else {

        // No errors found
        $_SESSION['mail_success'] = 1;
        $_SESSION['mail'] = $this->input->post('mail');

        redirect(base_url() . 'confirm');

    }

    ///// FILLS OUT INPUT FIELDS /////

    // Loads field_populator_helper
    $this->load->helper('field_populator_helper');

    // Defines input field names
    $input_names = array(
                    'mail',
    );

    // Defines default values   
    $default_values = array(
                    'Skriv inn e-posten din..',
    );

    // Auto-populates fields with blur and focus
    $data['field_populator'] = populateFields($input_names, $default_values);

    $this->load->view('frontpage_view', $data);

}

Answer 1

It may help to change your 'sess_cookie_name' in config.php to ensure that it has no spaces or underscores.

$config['sess_cookie_name'] = 'mycookiename';

Answer 2

I had the same problem: totally clean instal of CI 2.1.0, on MAMP, and just following along the tutorial in the User Guide.

After a lot of searching and googling, I found that in 'application/config.php', the variable $config['cookie_prefix'] must always be set to empty, otherwise if CSRF protection is turned on, this error will occur.

It could be that there are other issues involved - ie., session library, encryption or XSS protection, etc. - but just leaving the 'cookie_prefix' empty seems to have sorted it for me.

I hope this helps others.

Answer 3

CSRF is valid when token from the hidden field is matching token from the cookie. Check four things:

1. Don't use native php sessions (session_start etc). Switch to Session class in CI. http://codeigniter.com/user_guide/libraries/sessions.html

2. Check cookie config in /application/config/config.php

3. Check value of token in your form, is it different every page refresh?

4. Maybe try to download current version of CI from https://bitbucket.org/ellislab/codeigniter-reactor/downloads