I've been reading about the crsf protection in codeigniter, but I can't seem to find a decent tutorial on how to proceed after enabling csrf in the config file.
I have a form generated by a controller function users/create that submits to another function users/submit_new.
I used the form helper class so that the crsf field is automatically generated.
I have this validation function on the submit function:
if ($this->input->post(get_csrf_token_name()) == get_csrf_hash()) {
$this->users_model->create(); }
But all I get is action not allowed error.
What is the right way to validate csrf? Or am I doing something wrong?
If you're using CodeIgniter CSRF the way the user guide mentions, by setting:
$config['csrf_protection'] = TRUE; // this in application/config/config.php
And you are also using the form helper to generate your form open tag, then you do not need to check for the token and hash the way you are doing. CodeIgniter does this for you.
Read the docs: https://www.codeigniter.com/user_guide/libraries/security.html#cross-site-request-forgery-csrf
If you still have problems, then see related questions:
codeigniter CSRF error: "The action you have requested is not allowed."
Action you have requested is not allowed error
Related
I have this open source Symfony app and I need to disable CSRF checks either globally or at least for some <forms>. Besides 2 methods described below, I also tried removing various lines of code that mention CSRF, but nothing helped.
What I tried:
I tried to globally disable CSRF as described here How can I turn of CSRF protection globally on Symfony 3 with FOSUserBundle , but the problem is in my Symfony App there are no .yml files in root/config directory - it only contains: settings.php, default.settings.php, dev.php, prod.php, languages.php, but no .yml/.xml files
I tried to disable CSFR for a specific <form> as described here How to disable csrf in symfony? , but the prblem is my <form> is HTML-based, not PHP-based. My Symfony app doesn't create <form>s via PHP.
My Symfony App:
The app is open-source - repository here: https://github.com/agendav/agendav/tree/develop/web
In root/app/controllers.php I have this piece of code withCSRF protection ↓↓↓. I tried to remove it, but then form is not even rendered.
...
// Authentication
$app->get('/login', '\AgenDAV\Controller\Authentication::loginAction')->bind('login');
$app->post('/login', '\AgenDAV\Controller\Authentication::loginAction');
$app->get('/logout', '\AgenDAV\Controller\Authentication::logoutAction')->bind('logout');
// CSRF protection
$app->before(function(Request $request, Application $app) {
return \AgenDAV\Csrf::check($request, $app);
});
...
The login form template is in root/templates/login.html and it is called inside root/src/controller/Authentication.php:
...
return $app['twig']->render('login.html', $template_vars);
...
I'm creating an application using Vue.js and CakePHP 3.6.
When POST, security component throws a 400 error because the _Token fields are missing. I don't have problems with CSRF token, just form security validation.
I don't wanna disable the component in the whole application.
I found a non-solution: Expose _buildFieldToken from the Cake\View\Helper\SecureFieldTokenTrait but I think this will avoid the SecurityComponent purpose.
Any help are really welcome and appriciated.
The action in the controller (example: ajaxRequest) that you need access by fetch or axios, could be unlocked, in the controller:
if you have generated the form with the cake helpers, the _CSRFTOKEN is in the form label or hidden input (sorry inspect the Form element in the browser), when you have localized the token, add this in the data of .$post().
ajax request cakephp
public function beforeFilter(Event $event)
{
//this line is not necessary if you pass the _csrfToken
$this->getEventManager()->off($this->Csrf);
$this->Security->setConfig('unlockedActions', ['ajaxRequest']);
}
I'm trying to implement private channel authorization with Pusher and Laravel.
The forms require a CSRF input field (randomized input name and value). Normally I use twig to insert them into the forms I put on the page.
How can I insert the csrf fields into the form data that Pusher sends when it tries to connect to the auth endpoint? It isn't present in the form data (but is present in the request header), so it's getting rejected by the laravel CSRF middleware.
If you're using Laravel, this isn't necessary, you shouldn't implement your auth endpoint like this. Your auth endpoint should be defined inside channels.php in the routes folder. For example
// routes/channels.php
Broadcast::channel('chat', function ($user) {
return Auth::check();
});
CSRF not necessary.
I have two websites (both mine) and I am testing Guzzle.
I am trying to submit a search form. This search form has the standard Laravel CSRF token hidden field automatically generated "_token".
When submitting the field with goutte it gets an error. Checking my logs on the website I can see it is the Laravel "TokenMismatchException"
Do I need to do something special in goutte to make sure it is posting the auto generated "_token" hidden field?
As of Laravel 5.1, in app/Http/Middleware/VerifyCsrfToken.php you can disable CSRF protection by adding the concerned route to the $except array. Like so:
protected $except = [
'/api/v1/list', //This route won't have CSRF protection
];
You need to disable CSRF protection for that route.
In app/Http/Middleware/VerifyCsrfToken.php add this code to beginning of handle() method:
$openRoutes = ['free/route', 'free/too'];
foreach($openRoutes as $route) {
if ($request->is($route)) {
return $next($request);
}
}
I've been using CodeIgniter version 2.1.4 with Ion Auth for quite some time and everything was working great. Yesterday, I updated Ion Auth to the latest version and now I get a CSRF error whenever I try to "edit" any user profile.
"This form post did not pass our security checks."
I get this error after modifying the controllers/auth.php file so that the various Ion Auth views are loaded into my own template. After all, what good is this if I cannot integrate it into my site design. However, I also get this error in an older version of Safari even when the auth.php controller is not modified at all.
This is my simple modification to the auth.php controller file.
Replaced this line:
$view_html = $this->load->view($view, $this->viewdata, $render);
With this line:
$view_html = $this->template->load('default', $view, $this->viewdata, $render);
Yes, my load function (in the Template.php file located in /libraries/) has been working just fine since the beginning (many months ago). Even with the new version of Ion Auth, my template loading function is working... however, I just keep getting the security error as described above.
After doing some research, the cause of the error is Ion Auth's CSRF security routine. These two functions are called throughout the auth.php controller and display the error above whenever the _valid_csrf_nonce() function returns false.
function _get_csrf_nonce()
{
$this->load->helper('string');
$key = random_string('alnum', 8);
$value = random_string('alnum', 20);
$this->session->set_flashdata('csrfkey', $key);
$this->session->set_flashdata('csrfvalue', $value);
return array($key => $value);
}
function _valid_csrf_nonce()
{
if ($this->input->post($this->session->flashdata('csrfkey')) !== FALSE &&
$this->input->post($this->session->flashdata('csrfkey')) == $this->session->flashdata('csrfvalue'))
{
return TRUE; // <-- no error
}
else
{
return FALSE; // <-- error
}
}
As a temporary (or permanent?) workaround, I've enabled the "CSRF Protection" option on line 298 in the CodeIgniter config/config.php file.
$config['csrf_protection'] = TRUE; // enabled CSRF protection
$config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
Then I suppressed the CSRF protection in Ion Auth by always returning true from the function.
function _valid_csrf_nonce()
{
return TRUE;
}
However, I really want to understand the root cause here. Why am I getting all these CSRF errors simply by using older browsers or by trying to put the Ion Auth views within my own templates? Everything is on the same server using the same domain.
(edit: yes, the CI session library is being auto-loaded and apparently working fine. I can stay logged in, after all.)
I never did get to the root cause, however I have a theory that might explain some of this:
The Ion Auth CSRF Protection depends on flashdata, where flashdata only survives "the next" call to the server. My custom template loader might be calling the server twice since it first calls my loader function where the page is constructed, and then calls CodeIgniter's view function.
However, this theory does not really explain why an unmodified version of Ion Auth still fails in Safari. Feel free to post another answer if you can add anything substantial or conclusive to this.
As per a personal response from Ben Edmunds, the developer of Ion Auth...
"We added CSRF protection to the Ion Auth examples before CI built them into the framework so you might be best just removing them from the Ion Auth example controller and views if you’re using a newer version of CI with that built in."
Since I'm already using the latest version of CodeIgniter (2.1.4), I've decided to go this route.
The temporary workaround from my OP is now permanent:
I've enabled the "CSRF Protection" option on line 298 in the CodeIgniter config/config.php file.
$config['csrf_protection'] = TRUE; // enabled CSRF protection
Then I suppressed the CSRF protection in Ion Auth by always returning true from this function.
function _valid_csrf_nonce()
{
return TRUE; // effectively disables Ion Auth's CSRF protection
}
And finally, the developer commenting on using CodeIgniter's CSRF protection instead:
"Cool, that's really a better solution anyway since it's integrated throughout your application."