Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Codeigniter: Paypal IPN and csrf_protection

I'm working with codeigniter-paypal-ipn and have csrf_protection enabled. This seems to block the access from Paypal to my IPN controller. If i disable csrf_protection it works just fine, with csrf_protection enabled, paypal IPN service throws a 500 Internal Server Error.

Is there a way to solve this without disabling the csrf_protection? If not, can i disable the csrf_protection just for that controller?

Thanks.

like image 964
AFRC Avatar asked Oct 02 '11 18:10

AFRC


3 Answers

I know the question has been answered, but I did it in a similar way without hacking the CI core. I added the following to my application/config/config.php file:

$config['csrf_ignore'] = array('api');

The array can include any paths you like. The example above will apply to any paths that begin with 'api'.

Then, I added the following file: application/core/MY_Input.php:

<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');

class MY_Input extends CI_Input
{
    function _sanitize_globals()
    {   
        $ignore_csrf = config_item('csrf_ignore');

        if (is_array($ignore_csrf) && count($ignore_csrf))
        {
            global $URI;
            $haystack = $URI->uri_string();

            foreach($ignore_csrf as $needle)
            {
                if (strlen($haystack) >= strlen($needle) && substr($haystack, 0, strlen($needle)) == $needle)
                {
                    $this->_enable_csrf = FALSE;
                    break;
                }
            }           
        }

        parent::_sanitize_globals();
    }
}
/* EOF: MY_Input */
like image 67
caseyamcl Avatar answered Oct 21 '22 09:10

caseyamcl


Alex the creator of codeigniter-paypal-ipn here. At the moment I'm not aware of a way to get the IPN post working with csrf_protection enabled. If you look at how another language/framework does it, e.g. django-paypal IPN - they add a CSRF exemption to the specific IPN controller.

As imm says, this type of fine-grained control won't be available in CodeIgniter till a version with this pull request is merged (if you can't wait, try caseyamcl's approach below as it doesn't involve hacking CI core...)

I've updated my project's README to make the CSRF situation clearer.

like image 20
Alex Dean Avatar answered Oct 21 '22 09:10

Alex Dean


Someone asked a similar question on http://ellislab.com/forums/viewthread/200625/, disabling csrf for a single controller will be available in the next release.

like image 25
imm Avatar answered Oct 21 '22 09:10

imm