I am having a very weird CSRF protection problem in CodeIgniter. I have made sure that I use form_open to start my form, csrf_protection is set to true in the config file, and I have also made sure that the hidden csrf name and value fields match the csrf cookie as seen here: http://d.pr/3cfB.
What happens is that when I submit the form, I get "An Error Was Encountered. The action you have requested is not allowed." error and am not sure why. The form works fine when I turn the csrf_protection off.
What's even weirder is that I use tank_auth library for my authentication and it also uses form_open for the login form. I did check to make sure that there is a hidden csrf field in the login form when csrf_protection is on and I was able to submit the form and log in with no problem.
Thoughts on what I can do to debug this problem?
To begin with, the session class is expecting a token named 'csrf_token_name', not one named 'csrf_salemarked_token$...'.
This blog post covers AJAX with CSRF Protection in Codeigniter 2.0.
Tank_auth is getting the token from the hidden input form field, rather than the cookie. Your AJAX requests need to get the token from the hidden field if available, or the cookie if there is no form.
I found the problem. In one of my custom libraries I have parent::_sanitize_globals() which apparently was what's causing the error. I read somewhere that if I have xss filtering turned on, I don't need to do sanitize global.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With