CodeIgniter的CSRF令牌问题 [英] CSRF token problem with CodeIgniter
问题描述
我在CodeIgniter中有一个非常奇怪的CSRF保护问题。我已经确保我使用form_open启动我的表单,csrf_protection在配置文件中设置为true,我还确保隐藏的csrf名称和值字段匹配csrf cookie如下所示:http://d.pr/3cfB 。
I am having a very weird CSRF protection problem in CodeIgniter. I have made sure that I use form_open to start my form, csrf_protection is set to true in the config file, and I have also made sure that the hidden csrf name and value fields match the csrf cookie as seen here: http://d.pr/3cfB.
会发生什么情况,当我提交表单时,我收到发生错误,您请求的操作不被允许。错误,我不知道为什么。当我关闭csrf_protection时,表单工作正常。
What happens is that when I submit the form, I get "An Error Was Encountered. The action you have requested is not allowed." error and am not sure why. The form works fine when I turn the csrf_protection off.
更奇怪的是,我使用tank_auth库进行身份验证,并且还使用form_open作为登录表单。我做了检查,以确保在csrf_protection打开时,在登录表单中有一个隐藏的csrf字段,我可以提交表单和登录没有问题。
What's even weirder is that I use tank_auth library for my authentication and it also uses form_open for the login form. I did check to make sure that there is a hidden csrf field in the login form when csrf_protection is on and I was able to submit the form and log in with no problem.
推荐答案
我发现了问题。在我的一个自定义库中,我有parent :: _ sanitize_globals(),这显然是导致错误的原因。我读某处,如果我有xss过滤器打开,我不需要做sanitize全局。
I found the problem. In one of my custom libraries I have parent::_sanitize_globals() which apparently was what's causing the error. I read somewhere that if I have xss filtering turned on, I don't need to do sanitize global.
这篇关于CodeIgniter的CSRF令牌问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
