Codeigniter Ошибка CSRF: "Запрошенное действие не разрешено".

i включил опцию csrf_protection в файле конфигурации codeigniter и использовал функцию form_open() для создания моих форм. но когда я отправляю форму, эта ошибка возникает:

The action you have requested is not allowed.

Я сделал ответы, подобные этой теме (taht больше всего связан с моим вопросом): question

но они не работали, и проблема все еще остается. config.php

<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');

/*
|--------------------------------------------------------------------------
| Base Site URL
|--------------------------------------------------------------------------
|
| URL to your CodeIgniter root. Typically this will be your base URL,
| WITH a trailing slash:
|
|   http://example.com/
|
| If this is not set then CodeIgniter will guess the protocol, domain and
| path to your installation.
|
*/
$config['base_url'] = '';

/*
|--------------------------------------------------------------------------
| Index File
|--------------------------------------------------------------------------
|
| Typically this will be your index.php file, unless you've renamed it to
| something else. If you are using mod_rewrite to remove the page set this
| variable so that it is blank.
|
*/
$config['index_page'] = 'index.php';

/*
|--------------------------------------------------------------------------
| URI PROTOCOL
|--------------------------------------------------------------------------
|
| This item determines which server global should be used to retrieve the
| URI string.  The default setting of 'AUTO' works for most servers.
| If your links do not seem to work, try one of the other delicious flavors:
|
| 'AUTO'            Default - auto detects
| 'PATH_INFO'       Uses the PATH_INFO
| 'QUERY_STRING'    Uses the QUERY_STRING
| 'REQUEST_URI'     Uses the REQUEST_URI
| 'ORIG_PATH_INFO'  Uses the ORIG_PATH_INFO
|
*/
$config['uri_protocol'] = 'AUTO';

/*
|--------------------------------------------------------------------------
| URL suffix
|--------------------------------------------------------------------------
|
| This option allows you to add a suffix to all URLs generated by CodeIgniter.
| For more information please see the user guide:
|
| http://codeigniter.com/user_guide/general/urls.html
*/

$config['url_suffix'] = '';

/*
|--------------------------------------------------------------------------
| Default Language
|

--------------------------------------------------------------------------
|
| This determines which set of language files should be used. Make sure
| there is an available translation if you intend to use something other
| than english.
|
*/
$config['language'] = 'persian';

/*
|--------------------------------------------------------------------------
| Default Character Set
|--------------------------------------------------------------------------
|
| This determines which character set is used by default in various methods
| that require a character set to be provided.
|
*/
$config['charset'] = 'UTF-8';

/*
|--------------------------------------------------------------------------
| Enable/Disable System Hooks
|--------------------------------------------------------------------------
|
| If you would like to use the 'hooks' feature you must enable it by
| setting this variable to TRUE (boolean).  See the user guide for details.
|
*/
$config['enable_hooks'] = FALSE;


/*
|--------------------------------------------------------------------------
| Class Extension Prefix
|--------------------------------------------------------------------------
|
| This item allows you to set the filename/classname prefix when extending
| native libraries.  For more information please see the user guide:
|
| http://codeigniter.com/user_guide/general/core_classes.html
| http://codeigniter.com/user_guide/general/creating_libraries.html
|
*/
$config['subclass_prefix'] = 'MY_';


/*
|--------------------------------------------------------------------------
| Allowed URL Characters
|--------------------------------------------------------------------------
|
| This lets you specify with a regular expression which characters are permitted
| within your URLs.  When someone tries to submit a URL with disallowed
| characters they will get a warning message.
|
| As a security measure you are STRONGLY encouraged to restrict URLs to
| as few characters as possible.  By default only these are allowed: a-z 0-9~%.:_-
|
| Leave blank to allow all characters -- but only if you are insane.
|
| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
|
*/
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';


/*
|--------------------------------------------------------------------------
| Enable Query Strings
|--------------------------------------------------------------------------
|
| By default CodeIgniter uses search-engine friendly segment based URLs:
| example.com/who/what/where/
|
| By default CodeIgniter enables access to the $_GET array.  If for some
| reason you would like to disable it, set 'allow_get_array' to FALSE.
|
| You can optionally enable standard query string based URLs:
| example.com?who=me&what=something&where=here
|
| Options are: TRUE or FALSE (boolean)
|
| The other items let you set the query string 'words' that will
| invoke your controllers and its functions:
| example.com/index.php?c=controller&m=function
|
| Please note that some of the helpers won't work as expected when
| this feature is enabled, since CodeIgniter is designed primarily to
| use segment based URLs.
|
*/
$config['allow_get_array']      = TRUE;
$config['enable_query_strings'] = FALSE;
$config['controller_trigger']   = 'c';
$config['function_trigger']     = 'm';
$config['directory_trigger']    = 'd'; // experimental not currently in use

/*
|--------------------------------------------------------------------------
| Error Logging Threshold
|--------------------------------------------------------------------------
|
| If you have enabled error logging, you can set an error threshold to
| determine what gets logged. Threshold options are:
| You can enable error logging by setting a threshold over zero. The
| threshold determines what gets logged. Threshold options are:
|
|   0 = Disables logging, Error logging TURNED OFF
|   1 = Error Messages (including PHP errors)
|   2 = Debug Messages
|   3 = Informational Messages
|   4 = All Messages
|
| For a live site you'll usually only enable Errors (1) to be logged otherwise
| your log files will fill up very fast.
|
*/
$config['log_threshold'] = 0;

/*
|--------------------------------------------------------------------------
| Error Logging Directory Path
|--------------------------------------------------------------------------
|
| Leave this BLANK unless you would like to set something other than the default
| application/logs/ folder. Use a full server path with trailing slash.
|
*/
$config['log_path'] = '';

/*
|--------------------------------------------------------------------------
| Date Format for Logs
|--------------------------------------------------------------------------
|
| Each item that is logged has an associated date. You can use PHP date
| codes to set your own date formatting
|
*/
$config['log_date_format'] = 'Y-m-d H:i:s';

/*
|--------------------------------------------------------------------------
| Cache Directory Path
|--------------------------------------------------------------------------
|
| Leave this BLANK unless you would like to set something other than the default
| system/cache/ folder.  Use a full server path with trailing slash.
|
*/
$config['cache_path'] = '';

/*
|--------------------------------------------------------------------------
| Encryption Key
|--------------------------------------------------------------------------
|
| If you use the Encryption class or the Session class you
| MUST set an encryption key.  See the user guide for info.
|
*/
$config['encryption_key'] = 'b{{h#/Ib;pd<%+H0?ujvv9KLRc0LR-o8ot"K*so.J&}4\qCQ+Ij81ih\d48fx5_';

/*
|--------------------------------------------------------------------------
| Session Variables
|--------------------------------------------------------------------------
|
| 'sess_cookie_name'        = the name you want for the cookie
| 'sess_expiration'         = the number of SECONDS you want the session to last.
|   by default sessions last 7200 seconds (two hours).  Set to zero for no expiration.
| 'sess_expire_on_close'    = Whether to cause the session to expire automatically
|   when the browser window is closed
| 'sess_encrypt_cookie'     = Whether to encrypt the cookie
| 'sess_use_database'       = Whether to save the session data to a database
| 'sess_table_name'         = The name of the session database table
| 'sess_match_ip'           = Whether to match the user IP address when reading the session data
| 'sess_match_useragent'    = Whether to match the User Agent when reading the session data
| 'sess_time_to_update'     = how many seconds between CI refreshing Session Information
|
*/
$config['sess_cookie_name']     = 'ins_mngm_system';
$config['sess_expiration']      = 7200;
$config['sess_expire_on_close'] = TRUE;
$config['sess_encrypt_cookie']  = TRUE;
$config['sess_use_database']    = TRUE;
$config['sess_table_name']      = 'user_sessions';
$config['sess_match_ip']        = TRUE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update']  = 300;

/*
|--------------------------------------------------------------------------
| Cookie Related Variables
|--------------------------------------------------------------------------
|
| 'cookie_prefix' = Set a prefix if you need to avoid collisions
| 'cookie_domain' = Set to .your-domain.com for site-wide cookies
| 'cookie_path'   =  Typically will be a forward slash
| 'cookie_secure' =  Cookies will only be set if a secure HTTPS connection exists.
|
*/
$config['cookie_prefix']    = "";
$config['cookie_domain']    = "";
$config['cookie_path']      = "/";
$config['cookie_secure']    = TRUE;

/*
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
*/
$config['global_xss_filtering'] = TRUE;

/*
|--------------------------------------------------------------------------
| Cross Site Request Forgery
|--------------------------------------------------------------------------
| Enables a CSRF cookie token to be set. When set to TRUE, token will be
| checked on a submitted form. If you are accepting user data, it is strongly
| recommended CSRF protection be enabled.
|
| 'csrf_token_name' = The token name
| 'csrf_cookie_name' = The cookie name
| 'csrf_expire' = The number in seconds the token should expire.
*/
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'relt';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;

/*
|--------------------------------------------------------------------------
| Output Compression
|--------------------------------------------------------------------------
|
| Enables Gzip output compression for faster page loads.  When enabled,
| the output class will test whether your server supports Gzip.
| Even if it does, however, not all browsers support compression
| so enable only if you are reasonably sure your visitors can handle it.
|
| VERY IMPORTANT:  If you are getting a blank page when compression is enabled it
| means you are prematurely outputting something to your browser. It could
| even be a line of whitespace at the end of one of your scripts.  For
| compression to work, nothing can be sent before the output buffer is called
| by the output class.  Do not 'echo' any values with compression enabled.
|
*/
$config['compress_output'] = FALSE;

/*
|--------------------------------------------------------------------------
| Master Time Reference
|--------------------------------------------------------------------------
|
| Options are 'local' or 'gmt'.  This pref tells the system whether to use
| your server local time as the master 'now' reference, or convert it to
| GMT.  See the 'date helper' page of the user guide for information
| regarding date handling.
|
*/
$config['time_reference'] = 'local';


/*
|--------------------------------------------------------------------------
| Rewrite PHP Short Tags
|--------------------------------------------------------------------------
|
| If your PHP installation does not have short tag support enabled CI
| can rewrite the tags on-the-fly, enabling you to utilize that syntax
| in your view files.  Options are TRUE or FALSE (boolean)
|
*/
$config['rewrite_short_tags'] = FALSE;


/*
|--------------------------------------------------------------------------
| Reverse Proxy IPs
|--------------------------------------------------------------------------
|
| If your server is behind a reverse proxy, you must whitelist the proxy IP
| addresses from which CodeIgniter should trust the HTTP_X_FORWARDED_FOR
| header in order to properly identify the visitor IP address.
| Comma-delimited, e.g. '10.0.1.200,10.0.1.201'
|
*/
$config['proxy_ips'] = '';


/* End of file config.php */
/* Location: ./application/config/config.php */

controller (main.php):

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

class Main extends CI_Controller {
    //public function __construct()
    //{
    //  $this->load->controller('access_controll');
    //}
    public function index()
    {
            redirect('auth/login');
    }
    public function login()
    {

    }
    public function registration()
    {
        $this->load->view('register');
    }
    public function forgot()
    {

    }
}

/* End of file main.php */
/* Location: ./application/controllers/main.php */

view (login.php):

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="<?php echo base_url();?>template/img/favicon.png">
<title>ورود به حساب کاربری</title>

<!-- Bootstrap core CSS -->
<link href="<?php echo base_url();?>template/css/bootstrap.rtl.css" rel="stylesheet">

<!-- Custom styles for this template -->
<link href="<?php echo base_url();?>template/style.css" rel="stylesheet">

<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
      <script src="js/html5shiv.js"></script>
      <script src="js/respond.min.js"></script>
    <![endif]-->
</head>

<body id="login">
<div class="login-content">
  <div class="widget-content">
    <h1>سامانه مدیریت مشتریان</h1>
    <div class="alert alert-danger"><?php echo $message;?></div>
    <?php  echo form_open('auth/login', array('role'=>'form')); ?>
      <div class="form-group">
        <label for="identity">شناسه کاربری:</label>
        <div class="input-group"> <span class="input-group-addon"><i class="glyphicon glyphicon-user"></i></span>
          <?php  echo form_input(array('name'=>'identity', 'type'=>'text', 'placeholder'=>'نام کاربری یا ایمیل', 'class'=>'form-control', 'id'=>'identity')); ?>
        </div>
      </div>
      <div class="form-group">
        <label for="pass">گذرواژه:</label>
        <div class="input-group"> <span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i></span>
          <?php  echo form_input(array('name'=>'pass', 'type'=>'password', 'placeholder'=>'گذرواژه', 'class'=>'form-control')); ?>
        </div>
      </div>
      <div class="checkbox">
      <div class="col-sm-offset-1 col-sm-12">
        <label>
          <?php echo form_checkbox(array('name'=>'remember', 'value'=>1, 'type'=>'checkbox')); ?>
          مرا به خاطر بسپار </label>
      </div>
      </div>
      <div class="form-group">
      <div class="col-sm-offset-1 col-sm-12">
      <input type="submit" class="btn btn-default" value="ورود" />
      </div>
      </div>
    <?php echo form_close(); ?>
    <div class="forgot">
      <ul class="list-unstyled">
        <li> <i class="glyphicon glyphicon-chevron-left"></i> <a href="<?php echo site_url("main/registration");?>">ایجاد حساب کاربری جدید</a> </li>
        <li> <i class="glyphicon glyphicon-chevron-left"></i> <a href="<?php echo site_url("main/forgot");?>">رمز عبور خود را فراموش کرده اید؟</a> </li>
      </ul>
    </div>
  </div>
</div>
<!-- /.container --> 

<!-- Bootstrap core JavaScript
    ================================================== --> 
<!-- Placed at the end of the document so the pages load faster --> 
<script src="js/jquery.js"></script> 
<script src="js/bootstrap.rtl.min.js"></script>
</body>
</html>

Ответ 1

Проблема, решаемая этим решением:

установите $config['cookie_secure'] в файле конфигурации в FALSE, если вы используете HTTP.

Ответ 2

Самый простой для меня был белый список URI, как описано в Руководстве пользователя CodeIgniter (здесь)

Выбрать URI можно с помощью защиты csrf (например, конечные точки API, ожидающие внешнего содержимого POSTed). Вы можете добавить эти URI, отредактировав параметр конфигурации csrf_exclude_uris:

$config['csrf_exclude_uris'] = array('api/person/add');

Ответ 3

Просто включите это в свою форму, и тогда все будет хорошо.

<input type="hidden" name="<?php echo $this->security->get_csrf_token_name();?>" value="<?php echo $this->security->get_csrf_hash();?>">

Ответ 4

если вы разрешите true в $config['csrf_protection'] = true; в файле конфигурации, и вы также добавите форму autoload, чем мы можем использовать.

Шаг 1. в папке конфигурации автозагрузка помощника по загрузке файлов

$autoload['helper'] = array('url', 'file','form');

Шаг 2.

$config['csrf_protection'] = true; 

Шаг 3. при загрузке в папку просмотра

<?php echo form_open_multipart('admin/file_upload'); ?>

В противном случае вы можете использовать только

$config['csrf_protection'] = false;

Ответ 5

В config/config.php у меня есть

$config['csrf_token_name'] = 'my.token.name';

Но когда я использую var_dump для $_POST, я вижу:

 ["my_token_name"]=> string(32) "f5d78f8c8bb1800d10af59df8c302515"

CI измените мое имя csrf_token_name (sic!)

Решение: Я изменил

$config['csrf_token_name'] = 'my.token.name';

к

$config['csrf_token_name'] = 'my_token_name';

Теперь он работает.

Ответ 6

Когда все остальное не удалось, я заметил, что у меня установлены переменные cookie, удаление имени cookie и т.д., разрешило мою проблему.

Ответ 7

Для всех, кто попробовал все, что было предложено здесь, и все еще имеет эту проблему.

Моей проблемой было время истечения срока действия файла cookie.

$config['csrf_expire'] = 7200;

Допустим, что cookie истекает, и пользователь пытается отправить форму, они получат сообщение об ошибке

The action you have requested is not allowed.

Я добавил простой javascript на каждую страницу, что устраняет проблему для 99% ваших пользователей. (1% - пользователи, у которых JS отключен в своем браузере)

setInterval(function () {
  if(alert('Your session has expired!')){}
  else    window.location.reload(); 
}, 7200000);

Ответ 8

В конфигурации, если вы установили доменное имя файла cookie

$config['cookie_domain']    = 'xyz.com';

и вы просматриваете с помощью localhost. вы получите сообщение об ошибке

Запрошенное действие не разрешено

проверьте, помогает ли

Ответ 9

Убедитесь, что ваш BASE_URL соответствует URL, который вы просматриваете. У меня есть две псевдонимы (одна была создана для oauth), и проект работает над обоими псевдонимами, но CSRF потерпит неудачу, если BASE_URL не соответствует URL-адресу в браузере.

Ответ 10

Для тех, у кого все еще могут быть проблемы с этим и для полноты, я хотел бы добавить еще немного информации.

Я столкнулся с этой проблемой, хотя некоторые из приведенных выше ответов были полезны, есть несколько других моментов, которые следует учитывать при работе с csrf.

Начиная сверху, и сделать это как можно проще.

Если вы используете autoload.php, я обычно загружаю их. Не все нужны для исправления проблемы.

autoload.php

$autoload['libraries'] = array('session','database','form_validation','user_agent', 'encryption');
$autoload['helper'] = array('url', 'file', 'form');

Config.php

$config['base_url'] = 'http://somesite.org:4848/'; // Port if ur running multiple servers same machine
$config['encryption_key'] = 'kidh743ty9fhw9afh4739hq978h'; //Get an encrypt key, make sure its set

//Sessions
$config['sess_driver'] = 'database';
$config['sess_cookie_name'] = '_ss_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = 'Sessions';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

// Cookies
$config['cookie_prefix']    = '_ss_cookie';
$config['cookie_domain']    = '.somesite.org'; // No leading slash here, cookie will not set
$config['cookie_path']      = '/';
$config['cookie_secure']    = FALSE;
$config['cookie_httponly']  = FALSE;

// Global XSS - This is deprecated in version 3 
$config['global_xss_filtering'] = FALSE;

// CSRF
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = '_ss_csrf_token';
$config['csrf_cookie_name'] = '_ss_csrf_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array();

Контроллер. Лучший способ обработки csrf - использовать перенаправление и задавать флэш-данные.

register.php

<?php defined('BASEPATH') OR exit('No direct script access allowed');

    class Register extends CI_Controller
    {

      function __construct(){
        parent::__construct();

      }

      public function index(){
          $this->load->view('auth/register');
      }

      public function validate(){

        $full_name = $this->input->post('full_name');
        $email = $this->input->post('email');
        $password = $this->input->post('password');
        $password_again = $this->input->post('password_again');
        $agree = $this->input->post('agree');

        // do something here, then base your redirect on the response

        $some_model_data = $this->register_model->validate($data);              

        if($this->input->is_ajax_request()){

          // echo a json response with the token

          // Response array 
          // use javascript to add the new token to the form
          $response = array(
               'data' => $some_model_data, 
               'token'=> $this->security->get_csrf_hash();
                      );

          // json response 
          echo json_encode($response);  

        }else{
          // redirect to the page 
          $this->__validate_redirect($some_model_data);
        } 
      }

      private function __validate_redirect($where_to){
        switch ($where_to->redirect) {
          case 'register_page':
            redirect(base_url().'register/');
            break;
          case 'success':
            redirect(base_url().'register/success');
            break;
          default:
            redirect(base_url().'register/');
            break;
        }

      }

    }
?>

В представлении просто убедитесь, что вы используете:

  <?php echo form_open(); ?>

Это установит токен csrf или будет использовать следующее в вашей форме в качестве скрытого ввода:

  <?php echo $this->security->get_csrf_token_name(); ?>

Это должно быть все, что нужно для предотвращения ошибки csrf по большей части.

Ответ 11

изменить строку № 451

$config['csrf_protection'] = true;
от

до

$config['csrf_protection'] = false;

Потому что это csrf_protection устарело в CodeIgniter.

Ответ 12

Я нашел решение этой проблемы, что довольно просто. Я удалил div с дисплеем: нет стиля, окружающего вход csrf_protection. Div не имеет значения, поскольку тип ввода задан как скрытый. В CodeIginiterFolder/system/helpers/form_helper.php я изменил следующий контент (вокруг строки 75):

if (is_array($hidden) AND count($hidden) > 0)
{
    $form .= sprintf("<div style=\"display:none\">%s</div>", form_hidden($hidden));
}

для следующего:

if (is_array($hidden) AND count($hidden) > 0)
{
    $form .= form_hidden($hidden);
}