1

I am currently working locally (myhostname.local) to begin a development project in CodeIgniter and am trying to do a simple login form submission and the CSRF protection is not working. I get the error:

An Error Was Encountered
The action you have requested is not allowed.

A couple of things to note:

  1. I am using CI Reactor 2.0.2
  2. I am running everything from a local host (myhostname.local)

My form:

<?=form_open('home/login');?>
... username/password fields in here ...
<?=form_close();>

My controller:

public function login()
{

    $this->form_validation->set_rules('email','Email','trim|required');
    $this->form_validation->set_rules('password','Password','required');

    if($this->form_validation->run() === FALSE)
    {
        ... form did not pass validation ...
    }
    else
    {
        ... form passed ...
    }

}

When I submit the form to http://myhostname.local/home/login I get the above error.

Any help on why this is happening is much appreciated.

Thanks! Sean

Improve this question
7
  • Does this happen every single time, or only sometimes, or only after a validation failure? Also, are you sure it's localhost only - does this work on a live server for you? Commented Apr 30, 2011 at 14:49
  • It happens every time. I have not tested it on a live server. I'll do that and let you know. Commented Apr 30, 2011 at 15:03
  • That might help, especially since the title is "CodeIgniter CSRF and localhost", it may be something to do with cookies not being set, are you able to set and read cookies? Make totally sure you see the CSRF token in the html source too, I know it sounds dumb but it's good to check the simplest things first. Commented Apr 30, 2011 at 15:10
  • 1
    Have you loaded the form validation library? just to makesure... Commented Apr 30, 2011 at 15:29
  • @Wesley Murch - I see cookies, and I can set cookies, but there is no cookie for the CSRF. Also, the CSRF token is in source. I've uploaded the site to a live server per your request: modernstitches.seangates.com Commented Apr 30, 2011 at 21:26

3 Answers 3

Reset to default
10

It appears that setting values in the config.php file for cookies has a big impact. Once I set these back to defaults everything started working correctly again:

$config['cookie_prefix']    = "";
$config['cookie_domain']    = "";
$config['cookie_path']    = "/";
$config['cookie_secure']    = FALSE;
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This was the correct answer in my case (Apache 2.2.24 on MacOSX). But i took it one step further and added this if (ENVIRONMENT==='development') $config['cookie_domain']=''; right after cookie_ section in config.php this way it will work if you deploy to production/stage env.
3

I have encountered a similar issue; I keep getting "The action you have requested is not allowed." error message when I am trying to submit my login form. I am working locally with a virtual linux box. It turned out that my problem had something to do with date time setup on the virtual machine. Once I update date to match my host machines date time, the problem disappears.

I am using CondeIgniter v. 2.1.0.

Here are parts of my config.php file:

$config['cookie_prefix']    = "";
$config['cookie_domain']    = "";
$config['cookie_path']      = "/";
$config['cookie_secure']    = FALSE;

$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'my_csrf_token';
$config['csrf_cookie_name'] = 'mycsrf';
$config['csrf_expire'] = 7200;

I hope this info helps someone experiencing a similar issue.

Improve this answer

Comments

2

Running CI 2.1.0 on a localhost setup with MAMP.

Installation of CI is brand new, with no extras. Simply following along the 'Tutorial' in the User Guide, and came across the same error after creating my first form, and enabling CSRF in the configs.

The 'form_open()' is used to open the form. The hidden field is being created. The error appears every time: "the action you have requested is not allowed".

After playing around with the cookie config options in config.php, as suggested here, I found that in my case the culprit seems to be the 'cookie_prefix' config. It must be left BLANK, otherwise it causes this error. Once it is left blank, everything works.

I hope this may prove useful to others.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.