Codeigniter CSRF 令牌问题

2022-01-16 00:00:00 token frameworks php codeigniter

我创建了一个简单的注册/新闻通讯网站,但我遇到了一个奇怪的问题.有些人收到一个错误提示

I've made a simple signup/newsletter site, but I've got a weird problem. Some people get a error that says

遇到错误 操作您的请求不被允许.

An Error Was Encountered The action you have requested is not allowed.

我已经尝试过 google,发现当 CSRF 设置为 true 时人们也遇到了同样的问题.然而,我不会发生在每个人身上,只是一小部分人.我正在使用 form_open 和 form_close,我可以看到隐藏字段(令牌).

I've already tried google and found that people had the same problem when CSRF was set to true. However, i doesn't happens to everyone, just a small group of people. I'm using form_open and form_close and i can see the hidden field (token).

我正在使用最新版本的 Codeigniter 2.0.2

I'm using the latest version of Codeigniter 2.0.2

这是我的控制器

    function __construct() {
    parent::__construct();
    session_start();
}

function index() {

    $this->load->model('beta_signup_model');

    $this->form_validation->set_rules('mail','e-mail','required|valid_email|xss_clean|callback__mail_check');

    // Check for errors
    if($this->form_validation->run() == FALSE) {

        // The system found a form validation error


    } else {

        // No errors found
        $_SESSION['mail_success'] = 1;
        $_SESSION['mail'] = $this->input->post('mail');

        redirect(base_url() . 'confirm');

    }

    ///// FILLS OUT INPUT FIELDS /////

    // Loads field_populator_helper
    $this->load->helper('field_populator_helper');

    // Defines input field names
    $input_names = array(
                    'mail',
    );

    // Defines default values   
    $default_values = array(
                    'Skriv inn e-posten din..',
    );

    // Auto-populates fields with blur and focus
    $data['field_populator'] = populateFields($input_names, $default_values);

    $this->load->view('frontpage_view', $data);

}

推荐答案

我遇到了同样的问题:在 MAMP 上完全干净地安装 CI 2.1.0,并按照用户指南中的教程进行操作.

I had the same problem: totally clean instal of CI 2.1.0, on MAMP, and just following along the tutorial in the User Guide.

经过大量搜索和谷歌搜索,我发现在'application/config.php'中,变量$config['cookie_prefix']必须始终设置为空,否则如果打开CSRF保护,则会出现此错误发生.

After a lot of searching and googling, I found that in 'application/config.php', the variable $config['cookie_prefix'] must always be set to empty, otherwise if CSRF protection is turned on, this error will occur.

可能还涉及其他问题 - 即会话库、加密或 XSS 保护等 - 但只是将cookie_prefix"留空似乎已经为我排序了.

It could be that there are other issues involved - ie., session library, encryption or XSS protection, etc. - but just leaving the 'cookie_prefix' empty seems to have sorted it for me.

我希望这对其他人有所帮助.

I hope this helps others.

相关文章