search

bcit-ci / CodeIgniter

Open Source PHP Framework (originally from EllisLab)
https://codeigniter.com/
MIT License
18.27k stars 7.6k forks source link

codeigniter 3.1.13 Not Declaring CSRF Cookies #6134

Closed khashabawy closed 1 year ago

khashabawy commented 2 years ago

codeigniter 3.1.13 Not Declaring CSRF Cookies

It is randomly working on some platforms and not working in others ,

for me it is working in Windows but not in MAC OS

only the Main Cookies are Declared but the CSRF Cookies are not declared

image

WhatsApp Image 2022-05-26 at 5 37 09 PM

gxgpet commented 2 years ago

Well, it's kinda impossible to deal with frontend-related bugs just by having a brief description of the problem and some screenshots of the browser's console.

To be clear: I'm not saying that it's not a bug out there. But you will have to debug it for yourself and see what's missing from the HTTP request when setting the cookie, if the problem is related only to one browser, and so on. For those cases, very concrete technical details are needed.

BitmanNL commented 2 years ago

I have the same issue. It looks like the issue is introduced with this commit: https://github.com/bcit-ci/CodeIgniter/commit/0286ab3513ade8681a7172c78440a81059435e22 When doing a POST request with Javascript and adding the csrf field to the form data I get a 403 (The action you have requested is not allowed.).

This problem only happens when using a PHP version lower than 7.3. If I use PHP 7.3 or higher it works fine. If I do not use $config['csrf_regenerate'] = true; I get only a 403 in Safari (MacOS Monterey). If I set csrf_regenerate to true I get the error also in Firefox (MacOS Monterey).

How to reproduce?

Create an environment with PHP 7.2, and Firefox or Safari on MacOS Monterey. Create a new codeigniter project with the following:

application/config/config.php

$config['cookie_prefix']    = '';
$config['cookie_domain']    = '';
$config['cookie_path']      = '/';
$config['cookie_secure']    = false;
$config['cookie_httponly']  = true;
$config['cookie_samesite']  = 'Lax';

$config['csrf_protection'] = true;
$config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = true;
$config['csrf_exclude_uris'] = array();

application/controllers/Welcome.php

public function index()
{
    $this->load->helper('form');
    $csrf = array(
        'name' => $this->security->get_csrf_token_name(),
        'hash' => $this->security->get_csrf_hash()
    );
    $this->load->view('welcome_message', [
        'csrf' => $csrf
    ]);
}

public function submit()
{
}

application/views/welcome_message.php

<script>
    const formData = new FormData();
    formData.append("<?=$csrf['name'];?>", "<?=$csrf['hash'];?>");

    fetch('welcome/submit', {
        method: "POST",
        body: formData
    });
</script>
ymhuang0808 commented 9 months ago

@gxgpet 's commit works for me. Because, in Safari, the cookie path is %2F, and it leads to failed CSRF verification. Could CodeIgniter have a new release?