php - Set config item (csrf) doesnt work in Codeigniter -


i want turn on csrf protection in few of controllers, have 

function __construct() {      parent::__construct();     $this->load->library('form_validation');             $this->load->library('tank_auth');     $this->load->helper(array('form', 'url'));     $this->load->model('user_model', '', true);      $this->config->set_item('csrf_protection', true);  }

but doesn't seem work, although when var_dump($this->config) on page shows csrf_protection true, cookies not set , form has hidden field without value

<input type="hidden" name="ci_csrf_token" value="" />

csrf token name , cookie name set, forms called form_open().

any appreciated.

update: not possible version 2.1.1 because of line in security class construct if (config_item('csrf_protection') === true) {

security class initialized before controller, natural config item change in controller not affect it.

i have solution you. create custom application/core/my_security.php , put in it:

<?php if ( !defined( 'basepath' ) ) exit( 'no direct script access allowed' );  class my_security extends ci_security {     public function csrf_verify( )     {         foreach ( config_item('csrf_excludes') $exclude )         {             $uri = load_class('uri', 'core');             if ( preg_match( $exclude, $uri->uri_string() ) > 0 )             {                 // still input filtering prevent parameter piggybacking in form                 if (isset($_cookie[$this->_csrf_cookie_name]) && preg_match( '#^[0-9a-f]{32}$#is', $_cookie[$this->_csrf_cookie_name] ) == 0)                 {                     unset( $_cookie[$this->_csrf_cookie_name] );                 }                 return;             }         }         parent::csrf_verify( );     } }

this check following excludes need put in application/config.php in csrf section:

$config['csrf_excludes'] = array     ( '@^/?excluded_url_1/?@i'     , '@^/?excluded_url_2/?@i' );

every matching url pattern excluded csrf checks. can build regex here @ http://rubular.com

cheers


Comments

Post a Comment

Popular posts from this blog

monitor web browser programmatically in Android? -

i've got tricky question here. need users make payment bank (namely barclaycard) in uk. so, have https url , add parameters (such amount pay, order reference, etc) url, start http connection intent.actionview, redirect user browser can enter credit card details on bank's webpage , make payment our account successfully. far ? the code use below (i changed values privacy reasons) problem is, need app when user has completed/failed/cancelled payment. barclaycardautomatically redirects particular url when payment has succeeded, 1 if failed. there no way of knowing when barclaycard payment has succeeded go android app somehow ? button cardbutton = (button) findviewbyid(r.id.card_button); cardbutton.setonclicklistener(new view.onclicklistener() { @override public void onclick(view arg0) { string prehashstring = new string(); string prohashstring = new string(); string shapassphrase = new string(); shapassphrase = "gsvth£h70zkh...
Read more

Shrink a YouTube video to responsive width -

i have youtube video embedded on our website , when shrink screen tablet or phone sizes stops shrinking @ around 560px in width. standard youtube videos or there can add code make go smaller? you can make youtube videos responsive css. wrap iframe in div class of "videowrapper" , apply following styles: .videowrapper { float: none; clear: both; width: 100%; position: relative; padding-bottom: 56.25%; padding-top: 25px; height: 0; } .videowrapper iframe { position: absolute; top: 0; left: 0; width: 100%; height: 100%; } the .videowrapper div should inside responsive element. padding on .videowrapper necessary keep video collapsing. may have tweak numbers depending upon layout.
Read more

wpf - PdfWriter.GetInstance throws System.NullReferenceException -

i'm trying create pdf document using itextsharp 5.3.4 using following document document = new document(); filestream stm = new filestream(filename, filemode.create); pdfwriter writer = pdfwriter.getinstance(document, stm); i'm getting system.nullreferenceexception following stack trace: system.nullreferenceexception occurred hresult=-2147467261 message=la référence d'objet n'est pas définie à une instance d'un objet. source=itextsharp stacktrace: à itextsharp.text.version.getinstance() innerexception: i've verified neither document nor stm null, , if select "continue" in vs12 document created - exception thrown. updated itextsharp 5.4.0 , it's still occurring. can't find information on anywhere - got ideas? make sure not catching exceptions. nullreferenceexception can 1 caught , handled inside itextsharp, don't care it. fact can continue supports theory. change following setting verify: debug -> exceptions ...
Read more