CodeIgniter icon indicating copy to clipboard operation
CodeIgniter copied to clipboard

Published 20 hours ago verified publisher icon bcit-ci

codeigniter 3.1.13 Not Declaring CSRF Cookies

Open khashabawy opened this issue 3 years ago • 2 comments

codeigniter 3.1.13 Not Declaring CSRF Cookies

It is randomly working on some platforms and not working in others ,

for me it is working in Windows but not in MAC OS

only the Main Cookies are Declared but the CSRF Cookies are not declared

image

WhatsApp Image 2022-05-26 at 5 37 09 PM

khashabawy avatar May 26 '22 15:05 khashabawy

Well, it's kinda impossible to deal with frontend-related bugs just by having a brief description of the problem and some screenshots of the browser's console.

To be clear: I'm not saying that it's not a bug out there. But you will have to debug it for yourself and see what's missing from the HTTP request when setting the cookie, if the problem is related only to one browser, and so on. For those cases, very concrete technical details are needed.

gxgpet avatar Jun 18 '22 23:06 gxgpet

I have the same issue. It looks like the issue is introduced with this commit: https://github.com/bcit-ci/CodeIgniter/commit/0286ab3513ade8681a7172c78440a81059435e22 When doing a POST request with Javascript and adding the csrf field to the form data I get a 403 (The action you have requested is not allowed.).

This problem only happens when using a PHP version lower than 7.3. If I use PHP 7.3 or higher it works fine. If I do not use $config['csrf_regenerate'] = true; I get only a 403 in Safari (MacOS Monterey). If I set csrf_regenerate to true I get the error also in Firefox (MacOS Monterey).

How to reproduce?

Create an environment with PHP 7.2, and Firefox or Safari on MacOS Monterey. Create a new codeigniter project with the following:

application/config/config.php

$config['cookie_prefix']	= '';
$config['cookie_domain']	= '';
$config['cookie_path']		= '/';
$config['cookie_secure']	= false;
$config['cookie_httponly'] 	= true;
$config['cookie_samesite'] 	= 'Lax';

$config['csrf_protection'] = true;
$config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = true;
$config['csrf_exclude_uris'] = array();

application/controllers/Welcome.php

public function index()
{
	$this->load->helper('form');
	$csrf = array(
		'name' => $this->security->get_csrf_token_name(),
		'hash' => $this->security->get_csrf_hash()
	);
	$this->load->view('welcome_message', [
		'csrf' => $csrf
	]);
}

public function submit()
{
}

application/views/welcome_message.php

<script>
	const formData = new FormData();
	formData.append("<?=$csrf['name'];?>", "<?=$csrf['hash'];?>");

	fetch('welcome/submit', {
		method: "POST",
		body: formData
	});
</script>

BitmanNL avatar Jun 21 '22 10:06 BitmanNL

@gxgpet 's commit works for me. Because, in Safari, the cookie path is %2F, and it leads to failed CSRF verification. Could CodeIgniter have a new release?

ymhuang0808 avatar Feb 07 '24 04:02 ymhuang0808