I enabled the csrf_protection option in codeigniter’s config file, and used form_open() function to create my forms. But when I submit the form, this error occurs:
The action you have requested is not allowed.
I have done the answers like this topic (that is most related to my question): question
but they didn’t work and The problem still remains.
my config.php:
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
/*
|--------------------------------------------------------------------------
| Base Site URL
|--------------------------------------------------------------------------
|
| URL to your CodeIgniter root. Typically this will be your base URL,
| WITH a trailing slash:
|
| http://example.com/
|
| If this is not set then CodeIgniter will guess the protocol, domain and
| path to your installation.
|
*/
$config['base_url'] = '';
/*
|--------------------------------------------------------------------------
| Index File
|--------------------------------------------------------------------------
|
| Typically this will be your index.php file, unless you've renamed it to
| something else. If you are using mod_rewrite to remove the page set this
| variable so that it is blank.
|
*/
$config['index_page'] = 'index.php';
/*
|--------------------------------------------------------------------------
| URI PROTOCOL
|--------------------------------------------------------------------------
|
| This item determines which server global should be used to retrieve the
| URI string. The default setting of 'AUTO' works for most servers.
| If your links do not seem to work, try one of the other delicious flavors:
|
| 'AUTO' Default - auto detects
| 'PATH_INFO' Uses the PATH_INFO
| 'QUERY_STRING' Uses the QUERY_STRING
| 'REQUEST_URI' Uses the REQUEST_URI
| 'ORIG_PATH_INFO' Uses the ORIG_PATH_INFO
|
*/
$config['uri_protocol'] = 'AUTO';
/*
|--------------------------------------------------------------------------
| URL suffix
|--------------------------------------------------------------------------
|
| This option allows you to add a suffix to all URLs generated by CodeIgniter.
| For more information please see the user guide:
|
| http://codeigniter.com/user_guide/general/urls.html
*/
$config['url_suffix'] = '';
/*
|--------------------------------------------------------------------------
| Default Language
|
--------------------------------------------------------------------------
|
| This determines which set of language files should be used. Make sure
| there is an available translation if you intend to use something other
| than english.
|
*/
$config['language'] = 'persian';
/*
|--------------------------------------------------------------------------
| Default Character Set
|--------------------------------------------------------------------------
|
| This determines which character set is used by default in various methods
| that require a character set to be provided.
|
*/
$config['charset'] = 'UTF-8';
/*
|--------------------------------------------------------------------------
| Enable/Disable System Hooks
|--------------------------------------------------------------------------
|
| If you would like to use the 'hooks' feature you must enable it by
| setting this variable to TRUE (boolean). See the user guide for details.
|
*/
$config['enable_hooks'] = FALSE;
/*
|--------------------------------------------------------------------------
| Class Extension Prefix
|--------------------------------------------------------------------------
|
| This item allows you to set the filename/classname prefix when extending
| native libraries. For more information please see the user guide:
|
| http://codeigniter.com/user_guide/general/core_classes.html
| http://codeigniter.com/user_guide/general/creating_libraries.html
|
*/
$config['subclass_prefix'] = 'MY_';
/*
|--------------------------------------------------------------------------
| Allowed URL Characters
|--------------------------------------------------------------------------
|
| This lets you specify with a regular expression which characters are permitted
| within your URLs. When someone tries to submit a URL with disallowed
| characters they will get a warning message.
|
| As a security measure you are STRONGLY encouraged to restrict URLs to
| as few characters as possible. By default only these are allowed: a-z 0-9~%.:_-
|
| Leave blank to allow all characters -- but only if you are insane.
|
| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
|
*/
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_-';
/*
|--------------------------------------------------------------------------
| Enable Query Strings
|--------------------------------------------------------------------------
|
| By default CodeIgniter uses search-engine friendly segment based URLs:
| example.com/who/what/where/
|
| By default CodeIgniter enables access to the $_GET array. If for some
| reason you would like to disable it, set 'allow_get_array' to FALSE.
|
| You can optionally enable standard query string based URLs:
| example.com?who=me&what=something&where=here
|
| Options are: TRUE or FALSE (boolean)
|
| The other items let you set the query string 'words' that will
| invoke your controllers and its functions:
| example.com/index.php?c=controller&m=function
|
| Please note that some of the helpers won't work as expected when
| this feature is enabled, since CodeIgniter is designed primarily to
| use segment based URLs.
|
*/
$config['allow_get_array'] = TRUE;
$config['enable_query_strings'] = FALSE;
$config['controller_trigger'] = 'c';
$config['function_trigger'] = 'm';
$config['directory_trigger'] = 'd'; // experimental not currently in use
/*
|--------------------------------------------------------------------------
| Error Logging Threshold
|--------------------------------------------------------------------------
|
| If you have enabled error logging, you can set an error threshold to
| determine what gets logged. Threshold options are:
| You can enable error logging by setting a threshold over zero. The
| threshold determines what gets logged. Threshold options are:
|
| 0 = Disables logging, Error logging TURNED OFF
| 1 = Error Messages (including PHP errors)
| 2 = Debug Messages
| 3 = Informational Messages
| 4 = All Messages
|
| For a live site you'll usually only enable Errors (1) to be logged otherwise
| your log files will fill up very fast.
|
*/
$config['log_threshold'] = 0;
/*
|--------------------------------------------------------------------------
| Error Logging Directory Path
|--------------------------------------------------------------------------
|
| Leave this BLANK unless you would like to set something other than the default
| application/logs/ folder. Use a full server path with trailing slash.
|
*/
$config['log_path'] = '';
/*
|--------------------------------------------------------------------------
| Date Format for Logs
|--------------------------------------------------------------------------
|
| Each item that is logged has an associated date. You can use PHP date
| codes to set your own date formatting
|
*/
$config['log_date_format'] = 'Y-m-d H:i:s';
/*
|--------------------------------------------------------------------------
| Cache Directory Path
|--------------------------------------------------------------------------
|
| Leave this BLANK unless you would like to set something other than the default
| system/cache/ folder. Use a full server path with trailing slash.
|
*/
$config['cache_path'] = '';
/*
|--------------------------------------------------------------------------
| Encryption Key
|--------------------------------------------------------------------------
|
| If you use the Encryption class or the Session class you
| MUST set an encryption key. See the user guide for info.
|
*/
$config['encryption_key'] = 'b{{h#/Ib;pd<%+H0?ujvv9KLRc0LR-o8ot"K*so.J&}4qCQ+Ij81ihd48fx5_';
/*
|--------------------------------------------------------------------------
| Session Variables
|--------------------------------------------------------------------------
|
| 'sess_cookie_name' = the name you want for the cookie
| 'sess_expiration' = the number of SECONDS you want the session to last.
| by default sessions last 7200 seconds (two hours). Set to zero for no expiration.
| 'sess_expire_on_close' = Whether to cause the session to expire automatically
| when the browser window is closed
| 'sess_encrypt_cookie' = Whether to encrypt the cookie
| 'sess_use_database' = Whether to save the session data to a database
| 'sess_table_name' = The name of the session database table
| 'sess_match_ip' = Whether to match the user's IP address when reading the session data
| 'sess_match_useragent' = Whether to match the User Agent when reading the session data
| 'sess_time_to_update' = how many seconds between CI refreshing Session Information
|
*/
$config['sess_cookie_name'] = 'ins_mngm_system';
$config['sess_expiration'] = 7200;
$config['sess_expire_on_close'] = TRUE;
$config['sess_encrypt_cookie'] = TRUE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name'] = 'user_sessions';
$config['sess_match_ip'] = TRUE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 300;
/*
|--------------------------------------------------------------------------
| Cookie Related Variables
|--------------------------------------------------------------------------
|
| 'cookie_prefix' = Set a prefix if you need to avoid collisions
| 'cookie_domain' = Set to .your-domain.com for site-wide cookies
| 'cookie_path' = Typically will be a forward slash
| 'cookie_secure' = Cookies will only be set if a secure HTTPS connection exists.
|
*/
$config['cookie_prefix'] = "";
$config['cookie_domain'] = "";
$config['cookie_path'] = "/";
$config['cookie_secure'] = TRUE;
/*
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
*/
$config['global_xss_filtering'] = TRUE;
/*
|--------------------------------------------------------------------------
| Cross Site Request Forgery
|--------------------------------------------------------------------------
| Enables a CSRF cookie token to be set. When set to TRUE, token will be
| checked on a submitted form. If you are accepting user data, it is strongly
| recommended CSRF protection be enabled.
|
| 'csrf_token_name' = The token name
| 'csrf_cookie_name' = The cookie name
| 'csrf_expire' = The number in seconds the token should expire.
*/
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'relt';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
/*
|--------------------------------------------------------------------------
| Output Compression
|--------------------------------------------------------------------------
|
| Enables Gzip output compression for faster page loads. When enabled,
| the output class will test whether your server supports Gzip.
| Even if it does, however, not all browsers support compression
| so enable only if you are reasonably sure your visitors can handle it.
|
| VERY IMPORTANT: If you are getting a blank page when compression is enabled it
| means you are prematurely outputting something to your browser. It could
| even be a line of whitespace at the end of one of your scripts. For
| compression to work, nothing can be sent before the output buffer is called
| by the output class. Do not 'echo' any values with compression enabled.
|
*/
$config['compress_output'] = FALSE;
/*
|--------------------------------------------------------------------------
| Master Time Reference
|--------------------------------------------------------------------------
|
| Options are 'local' or 'gmt'. This pref tells the system whether to use
| your server's local time as the master 'now' reference, or convert it to
| GMT. See the 'date helper' page of the user guide for information
| regarding date handling.
|
*/
$config['time_reference'] = 'local';
/*
|--------------------------------------------------------------------------
| Rewrite PHP Short Tags
|--------------------------------------------------------------------------
|
| If your PHP installation does not have short tag support enabled CI
| can rewrite the tags on-the-fly, enabling you to utilize that syntax
| in your view files. Options are TRUE or FALSE (boolean)
|
*/
$config['rewrite_short_tags'] = FALSE;
/*
|--------------------------------------------------------------------------
| Reverse Proxy IPs
|--------------------------------------------------------------------------
|
| If your server is behind a reverse proxy, you must whitelist the proxy IP
| addresses from which CodeIgniter should trust the HTTP_X_FORWARDED_FOR
| header in order to properly identify the visitor's IP address.
| Comma-delimited, e.g. '10.0.1.200,10.0.1.201'
|
*/
$config['proxy_ips'] = '';
/* End of file config.php */
/* Location: ./application/config/config.php */
controller (main.php):
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
class Main extends CI_Controller {
//public function __construct()
//{
// $this->load->controller('access_controll');
//}
public function index()
{
redirect('auth/login');
}
public function login()
{
}
public function registration()
{
$this->load->view('register');
}
public function forgot()
{
}
}
/* End of file main.php */
/* Location: ./application/controllers/main.php */
view (login.php):
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="<?php echo base_url();?>template/img/favicon.png">
<title>ورود به حساب کاربری</title>
<!-- Bootstrap core CSS -->
<link href="<?php echo base_url();?>template/css/bootstrap.rtl.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="<?php echo base_url();?>template/style.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="js/html5shiv.js"></script>
<script src="js/respond.min.js"></script>
<![endif]-->
</head>
<body id="login">
<div class="login-content">
<div class="widget-content">
<h1>سامانه مدیریت مشتریان</h1>
<div class="alert alert-danger"><?php echo $message;?></div>
<?php echo form_open('auth/login', array('role'=>'form')); ?>
<div class="form-group">
<label for="identity">شناسه کاربری:</label>
<div class="input-group"> <span class="input-group-addon"><i class="glyphicon glyphicon-user"></i></span>
<?php echo form_input(array('name'=>'identity', 'type'=>'text', 'placeholder'=>'نام کاربری یا ایمیل', 'class'=>'form-control', 'id'=>'identity')); ?>
</div>
</div>
<div class="form-group">
<label for="pass">گذرواژه:</label>
<div class="input-group"> <span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i></span>
<?php echo form_input(array('name'=>'pass', 'type'=>'password', 'placeholder'=>'گذرواژه', 'class'=>'form-control')); ?>
</div>
</div>
<div class="checkbox">
<div class="col-sm-offset-1 col-sm-12">
<label>
<?php echo form_checkbox(array('name'=>'remember', 'value'=>1, 'type'=>'checkbox')); ?>
مرا به خاطر بسپار </label>
</div>
</div>
<div class="form-group">
<div class="col-sm-offset-1 col-sm-12">
<input type="submit" class="btn btn-default" value="ورود" />
</div>
</div>
<?php echo form_close(); ?>
<div class="forgot">
<ul class="list-unstyled">
<li> <i class="glyphicon glyphicon-chevron-left"></i> <a href="<?php echo site_url("main/registration");?>">ایجاد حساب کاربری جدید</a> </li>
<li> <i class="glyphicon glyphicon-chevron-left"></i> <a href="<?php echo site_url("main/forgot");?>">رمز عبور خود را فراموش کرده اید؟</a> </li>
</ul>
</div>
</div>
</div>
<!-- /.container -->
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
<script src="js/jquery.js"></script>
<script src="js/bootstrap.rtl.min.js"></script>
</body>
</html>
Хабровчане, помогите разобраться.
Имеется простая форма, откуда ajax’ом должна отсылаться информация.
Пробую $.get():
$.get('registration/check/', 's=3', function(html) {
alert('1');
});
alert('1');
});
Всё нормально.
Пробую $.post() с теми же параметрами:
$.post('registration/check/', 's=3', function(html) {
alert('1');
});
alert('1');
});
FireBug получает в ответ 500-ю ошибку (internal server error).
Кто-нибудь с этим сталкивался?
-
Вопрос заданболее трёх лет назад
-
11086 просмотров
Пригласить эксперта
Логи покажите, что выдает?
Так же обычно CodeIgniter настроен на отсечение GET запросов наоборот.
URI я бы с корнем писал — ‘/registration/check’
А $.post в JQuery имеет действительно формат, что во втором параметре не строка, а объект.
А такое что выдает?
$.ajax({
type: 'POST',
url: '/registration/check',
data: {s:3}
});
</script>Еще одна идея: некоторые фреймворки (например, symfony (насколько мне известно)), если отправлять post вместо get (или наоборот) выдает 404, а не 405 или 406. Может, в CI что-нибудь такое же?
еще одна дурацкая идея, а если так:
$.post(‘registration/check/’, {s: «3»}, function(html) {
alert(‘1’);
});
Кто-нибудь может скинуть рабочие .htaccess (тот, что в корне) и конфиги на почту? Буду сильно благодарен. (Напишу мыло в личку.)
Переустановил CodeIgniter (v2.0.0), ничего не изменилось. Самое интересное, что конфиг как будто игнорируется. Изменение $config[‘log_threshold’] = 4; и $config[‘allow_get_array’] = FALSE; ни на что не влияет.
Всем спасибо за внимание, причина нашлась — в конфиге было включено $config[‘csrf_protection’] = true. Выяснил, пройдя по input.class и закоментив, сначала, $this->_sanitize_globals(). В коде метода была отсылка как раз на csrf. Правда теперь не понятно, как отправлять post с включенным csrf, но это уже дело наживное;)
Всем спасибо!
-
Показать ещё
Загружается…
09 февр. 2023, в 09:28
12000 руб./за проект
09 февр. 2023, в 09:28
5000 руб./за проект
09 февр. 2023, в 07:58
3500 руб./за проект
Минуточку внимания
У меня есть форма, использующая скобки для кодировки
echo form_open('signup'); echo form_close(); и когда я отправлю его, я получаю следующую ошибку
- Уникальный формальный токен отключает многозадачность для пользователя
- Данные формы Laravel не сохраняются в графике DB neo4j
- Lavavel 5.2.36 МетодNotAllowedHttpException в строке RouteCollection.php 218:
- Codeigniter CSRF действителен только для одного запроса ajax
An Error Was Encountered The action you have requested is not allowed.
НЕ always но часто …
даже если скрытое входное поле существует внутри формы:
<div style="display:none"> <input type="hidden" value="token name is here" name="csrf_token_name"> </div>
это также происходит в аналогичной форме (signin)
EDIT: html, сгенерированный через форму
<form accept-charset="utf-8" method="post" action="http://www.example.com/signup"> <div style="display:none"> <input type="hidden" value="93565fb5855d31af3d46bd655b11a4a6" name="csrf_token_name"> </div> <input id="username" type="text" placeholder="Username" maxlength="20" value="" name="username"> <input id="email" type="text" placeholder="Email" value="" name="email"> <input id="password" type="password" placeholder="Password" value="" name="password"> <input id="submit" type="submit" value="Sign up" name="submit"> </form>
Ты делаешь это неправильно.
попробуй это
<input type="hidden" name="<?php echo $this->security->get_csrf_token_name(); ?>" value="<?php echo $this->security->get_csrf_hash();?>" />
значение должно быть таким, которое вычисляет codeigniter для токена csrf.
или использовать хелпер формы и codeigniter, автоматически добавит это скрытое поле.
В моем случае я просто увеличил переменную «csrf_expire» – количество секунд, в течение которых токен должен истечь.
Из $ config [‘csrf_expire’] = 7200; В $ config [‘csrf_expire’] = 28800;
изменить $ config [‘csrf_regenerate’] = TRUE;
в
$ config [‘csrf_regenerate’] = FALSE; в файле конфигурации
Если вы просто хотите полностью избавиться от ошибок …
Самое легкое решение, чтобы обойти их:
-
Откройте файл / config / config.php
-
Найдите следующую строку:
$config['csrf_protection'] = TRUE; -
Замените его …
$config['csrf_protection'] = FALSE; -
Сохранить изменения.
ПРЕДУПРЕЖДЕНИЕ. Отключение средства защиты CSRF означает, что вы остаетесь открытым для атак CSRF.
Issue / Question / Bug
Before submitting an issue please make sure you tick (add an x between the square brackets with no spaces) the following check boxes:
- I’m reporting an issue of an unmodified OSPOS installation
- I checked open and closed issues database and no similar issue was already discussed (please make sure you searched!)
- I read the README, WHATS_NEW and UPGRADE
- I read the FAQ (https://github.com/jekkos/opensourcepos#faq) for any known install and/or upgrade gotchas (in specific PHP has php-gd, php-intl, sockets and etc. installed)
- I read the wiki
- [?] I ran any database upgrade scripts (e.g. database/2.4_to_3.0.sql), and migrating function
- I’m aware the latest master could be a development version and therefore not stable
- I know the version of OSPOS and git commit hash (check the footer of your OSPOS), the name and version of OS, Web server, PHP and MySQL and will add them to my issue report
Installation information
- OSPOS version is: 3.0.2
- OSPOS git commit hash is: 4f5ad57
- PHP version is: (e.g. 5.5, 5.6, 7.0, 7.1) 5.6
- MySQL or MariaDB version is: (e.g. MySQL 5.5, MySQL 5.6, MySQL 5.7, MariaDB 10.0, MariaDB 10.1, MariaDB 10.2) MySQL 5.5
- OS and version is: (e.g. CentOS 6.9, Ubuntu 16.4, Windows 10) Raspbian 8 Jessie
- WebServer is: (e.g. Apache 2.2, Apache 2.4, Nginx 1.12, Nginx 1.13) 2.4.10
- (If applicable) Installation package for the LAMP/LEMP stack is: (e.g. WAMP, XAMPP)
Expected behaviour
Go to home page after logging in.
Actual behaviour
An Error Was Encountered
The action you have requested is not allowed.
Steps to reproduce the issue
I have a client rpi that I vpn, from remote location, to the server rpi. I let the client sit idle for a few hours then I get this error. If I «go back» I then can log in and get directed to home page and use as expected. Refreshing does not help.
GLPI is connected to the database with root user.
I checked the permissions on the folder and they are ok.
As you can see
System Information:
Operating system : Linux
PHP 5.2.6 (PDO, Reflection, SPL, SQLite, SimpleXML, apache2handler, bcmath, bz2, ctype, curl, date, dom, filter, ftp, gd, gettext, hash, imap, json, ldap, libxml, mbstring, mcrypt, mysql, mysqli, openssl, pcre, pgsql, posix, session, standard, suhosin, sysvsem, sysvshm, tokenizer, xml, xmlreader, xmlrpc, xmlwriter, zip, zlib)
Setup: memory_limit=»1G» max_execution_time=»1200″ safe_mode=»» session.save_handler=»files» post_max_size=»1G»
upload_max_filesize=»1G»
Software: Apache/2.2.9 (Mandriva Linux/PREFORK-12.9mdvmes5) (Apache/2.2.9 (Mandriva Linux/PREFORK-12.9mdvmes5) Server at
xxx.xxx.xxx.xxx Port 80)
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17
MySQL: 5.0.89 (root@localhost/glpi)
../config : OK
../files : OK
../files/_dumps : OK
../files/_sessions : OK
../files/_cron : OK
../files/_cache/ : OK
../files/_graphs : OK
../files/_log : OK
I think it’s something with CSRF token.
Last edited by jairo.santos (2013-02-07 13:37:37)
-
juro
Newbie -
-
Posts: 4
Threads: 1
Joined: Dec 2014Reputation:
0
Hello,
I have issue with working with form validation.
First, I made my own controller and form, but beacuse it has not working, I wanted to test form validation from tutorial (https://ellislab.com/codeigniter/user-gu…ation.html).
Now, I have exact controller and form, that is written in this tutorial (copy paste). But when i press submit button i get the same error than before — An Error Was Encountered The action you have requested is not allowed. With status 403 Forbidden.
I have not changed any .htaccess files. I have changed config file.
PHP Code:
<?php
/**
* CodeIgniter
*
* An open source application development framework for PHP 5.2.4 or newer
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/)
* @copyright Copyright (c) 2014, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link http://codeigniter.com
* @since Version 1.0.0
* @filesource
*/
defined('BASEPATH') OR exit('No direct script access allowed');/*
|--------------------------------------------------------------------------
| Base Site URL
|--------------------------------------------------------------------------
|
| URL to your CodeIgniter root. Typically this will be your base URL,
| WITH a trailing slash:
|
| http://example.com/
|
| If this is not set then CodeIgniter will try guess the protocol, domain
| and path to your installation. However, you should always configure this
| explicitly and never rely on auto-guessing, especially in production
| environments.
|
*/
$config['base_url'] = 'https://localhost/Igniter/';/*
|--------------------------------------------------------------------------
| Index File
|--------------------------------------------------------------------------
|
| Typically this will be your index.php file, unless you've renamed it to
| something else. If you are using mod_rewrite to remove the page set this
| variable so that it is blank.
|
*/
$config['index_page'] = 'index.php';/*
|--------------------------------------------------------------------------
| URI PROTOCOL
|--------------------------------------------------------------------------
|
| This item determines which server global should be used to retrieve the
| URI string. The default setting of 'AUTO' works for most servers.
| If your links do not seem to work, try one of the other delicious flavors:
|
| 'AUTO' Default - auto detects
| 'CLI' or 'argv' Uses $_SERVER['argv'] (for php-cli only)
| 'PATH_INFO' Uses $_SERVER['PATH_INFO']
| 'REQUEST_URI' Uses $_SERVER['REQUEST_URI']
| 'QUERY_STRING' Uses $_SERVER['QUERY_STRING']
|
*/
$config['uri_protocol'] = 'AUTO';/*
|--------------------------------------------------------------------------
| URL suffix
|--------------------------------------------------------------------------
|
| This option allows you to add a suffix to all URLs generated by CodeIgniter.
| For more information please see the user guide:
|
| http://codeigniter.com/user_guide/general/urls.html
*/$config['url_suffix'] = '';/*
|--------------------------------------------------------------------------
| Default Language
|--------------------------------------------------------------------------
|
| This determines which set of language files should be used. Make sure
| there is an available translation if you intend to use something other
| than english.
|
*/
$config['language'] = 'english';/*
|--------------------------------------------------------------------------
| Default Character Set
|--------------------------------------------------------------------------
|
| This determines which character set is used by default in various methods
| that require a character set to be provided.
|
| See http://php.net/htmlspecialchars for a list of supported charsets.
|
*/
$config['charset'] = 'UTF-8';/*
|--------------------------------------------------------------------------
| Enable/Disable System Hooks
|--------------------------------------------------------------------------
|
| If you would like to use the 'hooks' feature you must enable it by
| setting this variable to TRUE (boolean). See the user guide for details.
|
*/
$config['enable_hooks'] = FALSE;/*
|--------------------------------------------------------------------------
| Class Extension Prefix
|--------------------------------------------------------------------------
|
| This item allows you to set the filename/classname prefix when extending
| native libraries. For more information please see the user guide:
|
| http://codeigniter.com/user_guide/general/core_classes.html
| http://codeigniter.com/user_guide/general/creating_libraries.html
|
*/
$config['subclass_prefix'] = 'MY_';/*
|--------------------------------------------------------------------------
| Composer auto-loading
|--------------------------------------------------------------------------
|
| Enabling this setting will tell CodeIgniter to look for a Composer
| package auto-loader script in application/vendor/autoload.php.
|
| $config['composer_autoload'] = TRUE;
|
| Or if you have your vendor/ directory located somewhere else, you
| can opt to set a specific path as well:
|
| $config['composer_autoload'] = '/path/to/vendor/autoload.php';
|
| For more information about Composer, please visit http://getcomposer.org/
|
| Note: This will NOT disable or override the CodeIgniter-specific
| autoloading (application/config/autoload.php)
*/
$config['composer_autoload'] = FALSE;/*
|--------------------------------------------------------------------------
| Allowed URL Characters
|--------------------------------------------------------------------------
|
| This lets you specify which characters are permitted within your URLs.
| When someone tries to submit a URL with disallowed characters they will
| get a warning message.
|
| As a security measure you are STRONGLY encouraged to restrict URLs to
| as few characters as possible. By default only these are allowed: a-z 0-9~%.:_-
|
| Leave blank to allow all characters -- but only if you are insane.
|
| The configured value is actually a regular expression character group
| and it will be executed as: ! preg_match('/^[<permitted_uri_chars>]+$/i
|
| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
|
*/
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_-';/*
|--------------------------------------------------------------------------
| Enable Query Strings
|--------------------------------------------------------------------------
|
| By default CodeIgniter uses search-engine friendly segment based URLs:
| example.com/who/what/where/
|
| By default CodeIgniter enables access to the $_GET array. If for some
| reason you would like to disable it, set 'allow_get_array' to FALSE.
|
| You can optionally enable standard query string based URLs:
| example.com?who=me&what=something&where=here
|
| Options are: TRUE or FALSE (boolean)
|
| The other items let you set the query string 'words' that will
| invoke your controllers and its functions:
| example.com/index.php?c=controller&m=function
|
| Please note that some of the helpers won't work as expected when
| this feature is enabled, since CodeIgniter is designed primarily to
| use segment based URLs.
|
*/
$config['allow_get_array'] = TRUE;
$config['enable_query_strings'] = FALSE;
$config['controller_trigger'] = 'c';
$config['function_trigger'] = 'm';
$config['directory_trigger'] = 'd';/*
|--------------------------------------------------------------------------
| Error Logging Threshold
|--------------------------------------------------------------------------
|
| If you have enabled error logging, you can set an error threshold to
| determine what gets logged. Threshold options are:
| You can enable error logging by setting a threshold over zero. The
| threshold determines what gets logged. Threshold options are:
|
| 0 = Disables logging, Error logging TURNED OFF
| 1 = Error Messages (including PHP errors)
| 2 = Debug Messages
| 3 = Informational Messages
| 4 = All Messages
|
| You can also pass in a array with threshold levels to show individual error types
|
| array(2) = Debug Messages, without Error Messages
|
| For a live site you'll usually only enable Errors (1) to be logged otherwise
| your log files will fill up very fast.
|
*/
$config['log_threshold'] = 4;/*
|--------------------------------------------------------------------------
| Error Logging Directory Path
|--------------------------------------------------------------------------
|
| Leave this BLANK unless you would like to set something other than the default
| application/logs/ directory. Use a full server path with trailing slash.
|
*/
$config['log_path'] = '';/*
|--------------------------------------------------------------------------
| Log File Extension
|--------------------------------------------------------------------------
|
| The default filename extension for log files. The default 'php' allows for
| protecting the log files via basic scripting, when they are to be stored
| under a publicly accessible directory.
|
| Note: Leaving it blank will default to 'php'.
|
*/
$config['log_file_extension'] = '';/*
|--------------------------------------------------------------------------
| Log File Permissions
|--------------------------------------------------------------------------
|
| The file system permissions to be applied on newly created log files.
|
| IMPORTANT: This MUST be an integer (no quotes) and you MUST use octal
| integer notation (i.e. 0700, 0644, etc.)
*/
$config['log_file_permissions'] = 0644;/*
|--------------------------------------------------------------------------
| Date Format for Logs
|--------------------------------------------------------------------------
|
| Each item that is logged has an associated date. You can use PHP date
| codes to set your own date formatting
|
*/
$config['log_date_format'] = 'Y-m-d H:i:s';/*
|--------------------------------------------------------------------------
| Error Views Directory Path
|--------------------------------------------------------------------------
|
| Leave this BLANK unless you would like to set something other than the default
| application/views/errors/ directory. Use a full server path with trailing slash.
|
*/
$config['error_views_path'] = '';/*
|--------------------------------------------------------------------------
| Cache Directory Path
|--------------------------------------------------------------------------
|
| Leave this BLANK unless you would like to set something other than the default
| application/cache/ directory. Use a full server path with trailing slash.
|
*/
$config['cache_path'] = '';/*
|--------------------------------------------------------------------------
| Encryption Key
|--------------------------------------------------------------------------
|
| If you use the Encryption class or the Session class you
| MUST set an encryption key. See the user guide for info.
|
| http://codeigniter.com/user_guide/libraries/encryption.html
| http://codeigniter.com/user_guide/libraries/sessions.html
|
*/
$config['encryption_key'] = '';/*
|--------------------------------------------------------------------------
| Session Variables
|--------------------------------------------------------------------------
|
| 'sess_driver' = the driver to load: cookie (Classic), native (PHP sessions),
| or your custom driver name
| 'sess_valid_drivers' = additional valid drivers which may be loaded
| 'sess_cookie_name' = the name you want for the cookie, must contain only [0-9a-z_-] characters
| 'sess_expiration' = the number of SECONDS you want the session to last.
| by default sessions last 7200 seconds (two hours). Set to zero for no expiration.
| 'sess_expire_on_close' = Whether to cause the session to expire automatically
| when the browser window is closed
| 'sess_encrypt_cookie' = Whether to encrypt the cookie
| 'sess_use_database' = Whether to save the session data to a database
| 'sess_table_name' = The name of the session database table
| 'sess_match_ip' = Whether to match the user's IP address when reading the session data
| 'sess_match_useragent' = Whether to match the User Agent when reading the session data
| 'sess_time_to_update' = how many seconds between CI refreshing Session Information
|
*/
$config['sess_driver'] = 'cookie';
$config['sess_valid_drivers'] = array();
$config['sess_cookie_name'] = 'mysession';
$config['sess_expiration'] = 7200;
$config['sess_expire_on_close'] = TRUE;
$config['sess_encrypt_cookie'] = TRUE;
$config['sess_use_database'] = FALSE;
$config['sess_table_name'] = 'ci_sessions';
$config['sess_match_ip'] = FALSE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 300;/*
|--------------------------------------------------------------------------
| Cookie Related Variables
|--------------------------------------------------------------------------
|
| 'cookie_prefix' = Set a prefix if you need to avoid collisions
| 'cookie_domain' = Set to .your-domain.com for site-wide cookies
| 'cookie_path' = Typically will be a forward slash
| 'cookie_secure' = Cookies will only be set if a secure HTTPS connection exists.
| 'cookie_httponly' = Cookie will only be accessible via HTTP(S) (no javascript)
|
*/
$config['cookie_prefix'] = '';
$config['cookie_domain'] = '';
$config['cookie_path'] = '/';
$config['cookie_secure'] = TRUE;
$config['cookie_httponly'] = TRUE;/*
|--------------------------------------------------------------------------
| Standardize newlines
|--------------------------------------------------------------------------
|
| Determines whether to standardize newline characters in input data,
| meaning to replace rn, r, n occurences with the PHP_EOL value.
|
| This is particularly useful for portability between UNIX-based OSes,
| (usually n) and Windows (rn).
|
*/
$config['standardize_newlines'] = FALSE; /*
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
*/
$config['global_xss_filtering'] = TRUE;/*
|--------------------------------------------------------------------------
| Cross Site Request Forgery
|--------------------------------------------------------------------------
| Enables a CSRF cookie token to be set. When set to TRUE, token will be
| checked on a submitted form. If you are accepting user data, it is strongly
| recommended CSRF protection be enabled.
|
| 'csrf_token_name' = The token name
| 'csrf_cookie_name' = The cookie name
| 'csrf_expire' = The number in seconds the token should expire.
| 'csrf_regenerate' = Regenerate token on every submission
| 'csrf_exclude_uris' = Array of URIs which ignore CSRF checks
*/
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'mytoken';
$config['csrf_cookie_name'] = 'mycookie';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array();/*
|--------------------------------------------------------------------------
| Output Compression
|--------------------------------------------------------------------------
|
| Enables Gzip output compression for faster page loads. When enabled,
| the output class will test whether your server supports Gzip.
| Even if it does, however, not all browsers support compression
| so enable only if you are reasonably sure your visitors can handle it.
|
| Only used if zlib.output_compression is turned off in your php.ini.
| Please do not use it together with httpd-level output compression.
|
| VERY IMPORTANT: If you are getting a blank page when compression is enabled it
| means you are prematurely outputting something to your browser. It could
| even be a line of whitespace at the end of one of your scripts. For
| compression to work, nothing can be sent before the output buffer is called
| by the output class. Do not 'echo' any values with compression enabled.
|
*/
$config['compress_output'] = FALSE;/*
|--------------------------------------------------------------------------
| Minify
|--------------------------------------------------------------------------
|
| Removes extra characters (usually unnecessary spaces) from your
| output for faster page load speeds. Makes your outputted HTML source
| code less readable.
|
*/
$config['minify_output'] = FALSE;/*
|--------------------------------------------------------------------------
| Master Time Reference
|--------------------------------------------------------------------------
|
| Options are 'local' or any PHP supported timezone. This preference tells
| the system whether to use your server's local time as the master 'now'
| reference, or convert it to the configured one timezone. See the 'date
| helper' page of the user guide for information regarding date handling.
|
*/
$config['time_reference'] = 'local';/*
|--------------------------------------------------------------------------
| Rewrite PHP Short Tags
|--------------------------------------------------------------------------
|
| If your PHP installation does not have short tag support enabled CI
| can rewrite the tags on-the-fly, enabling you to utilize that syntax
| in your view files. Options are TRUE or FALSE (boolean)
|
*/
$config['rewrite_short_tags'] = FALSE;/*
|--------------------------------------------------------------------------
| Reverse Proxy IPs
|--------------------------------------------------------------------------
|
| If your server is behind a reverse proxy, you must whitelist the proxy
| IP addresses from which CodeIgniter should trust headers such as
| HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP in order to properly identify
| the visitor's IP address.
|
| You can use both an array or a comma-separated list of proxy addresses,
| as well as specifying whole subnets. Here are a few examples:
|
| Comma-separated: '10.0.1.200,192.168.5.0/24'
| Array: array('10.0.1.200', '192.168.5.0/24')
*/
$config['proxy_ips'] = '';/* End of file config.php */
/* Location: ./application/config/config.php */
I am using latest apache server and latest CI (3). I am working on web site, that has to be very secure.
I am new to CI so maybe I am doing something (stupid) wrong. I am sorry for my enlish (I am not native English speaker).
I would appreciate any help with this. Thanks!
Set csrf_protection to false and I bet it works.
If that is the case then it’s a problem with CSRF protection and while that’s not a resolution it may lead you in the right direction for debugging the issue.
-
juro
Newbie -
-
Posts: 4
Threads: 1
Joined: Dec 2014Reputation:
0
Thanks! You are right, it works if i set csfr on false. But I need to have it set on TRUE. So i googled about it and tried to make hidden input like this
PHP Code:
$hidden = array($this->security->get_csrf_token_name() => $this->security->get_csrf_hash());
echo form_open('pages/Login', '', $hidden);
and
PHP Code:
<div style="display:none">
<input type="hidden" name="<?php echo $this->security->get_csrf_token_name(); ?>" value="<?php echo $this->security->get_csrf_hash();?>" />
</div>
but nothing of above solved a problem.
Do you have any suggestions how to make it work? I can’t be the only one with this kind of problem?
According to the documentation, «If you use the form helper the form_open() function will automatically insert a hidden csrf field in your forms.»
Is it possible you are inserting the fields twice and they are being sent as an array? What do you see when you view the document source of your login page?
-
juro
Newbie -
-
Posts: 4
Threads: 1
Joined: Dec 2014Reputation:
0
Yes I know, strange right?
It is not possible, i am using the same views and the same controller as here: https://ellislab.com/codeigniter/user-gu…ation.html. Source is as it is supposed to be. Yesterday I MAYBE actually found the problem: I try to run this code on Chrome 39 and on IE 8. It works on both. But on Firefox 34 it never works. I dont know why i haven’t tested this earlier.
So apparently something is wrong with firefox 34? I googled about it but i didn’t find anything.
Then I ran some more tests on what is happening with csrf_hash. I put log_message(‘info’, $this->security->get_csrf_hash()); in controller. And i found out that when i refresh (run) controller in Chrome, csrf_hash does not change, it is changed just when i submit form and post is sent back to controller. In firefox csrf_hash is changed every time when controller runs.
In Log file, when i submit my form in fireofx, the last log is [DEBUG — 2014-12-10 12:45:50 —> Input Class Initialized], next one would have to be [DEBUG — 2014-12-10 12:45:50 —> CRSF cookie Set] but it never came to that. So I suppose that on form submition in firefox, crsf cookie don’t want to be set. Why in firefox but not in IE and Chrome? It’s weird.
-
juro
Newbie -
-
Posts: 4
Threads: 1
Joined: Dec 2014Reputation:
0
I solved this problem by checking «accept cookies from sites» in privacy settings in firefox. It is not my default browser so I didn’t know that this could be an issue. 
So if someone will have same issue … check cookie settings
-
tronbow
Newbie -
-
Posts: 3
Threads: 1
Joined: Dec 2014Reputation:
0
if csrf setting is TRUE, just use form_open(‘page/Login’), and hidden field will automatic generated
IE also has that settings, accept they call it accept third party cookies.
What did you Try? What did you Get? What did you Expect?
Joined CodeIgniter Community 2009. ( Skype: insitfx )
Я использую точный код, как это здесь: https://ellislab.com/codeigniter/user-guide/libraries/form_validation.html
Все это прекрасно работает, когда csrf_protection в конфигурационном файле имеет значение false. Но когда я устанавливаю значение true и отправляю форму, я получаю сообщение об ошибке:
An Error Was Encountered
The action you have requested is not allowed.
Я пытался запустить код на Chrome 39 и IE 8. Он работает на обоих. Но на Firefox 34 это не так.
Значит, что-то не так с Firefox 34? Я гуглил об этом, но ничего не нашел.
Затем я запустил еще несколько тестов того, что происходит с csrf_hash. я кладу log_message('info', $this->security->get_csrf_hash()); в контроллере. И я обнаружил, что когда я обновляю (запускаю) контроллер в Chrome и IE, csrf_hash не изменяется, он изменяется только тогда, когда я отправляю форму и сообщение отправляется обратно в контроллер. В Firefox csrf_hash меняется каждый раз, когда запускается контроллер.
В файле журнала, когда я отправляю свою форму в fireofx, последний журнал
[DEBUG - 2014-12-10 12:45:50 --> Input Class Initialized],
следующий должен быть
[DEBUG - 2014-12-10 12:45:50 --> CRSF cookie Set] но это никогда не доходило до этого. Поэтому я предполагаю, что при отправке формы в firefox cookie crsf не хотят быть установленными. Почему в Firefox, а не в IE и Chrome?
Я новичок в Codeigniter, и я работаю над этой проблемой уже третий день = (.
Буду признателен за любую помощь или подсказку с этим. Спасибо!
0
Решение
Задача ещё не решена.
Другие решения
Других решений пока нет …
|
Страница 1 из 1 | [ Сообщений: 5 ] |
The action you have requested is not allowed.
| Автор | Сообщение |
|---|---|
|
Новичок
Зарегистрирован: |
An Error Was Encountered |
| 22 июн 2014, 06:08 |
|
 |
|
|
Nikita V.I.P.
Зарегистрирован: |
Писать подробности. ОС, веб-сервер. _________________ |
| 22 июн 2014, 12:53 |
|
|
|
|
server Новичок
Зарегистрирован: |
Nikita писал(а): Писать подробности. ОС, веб-сервер. Os — windows 8.1, Сервер — denwer/локальный сервер |
| 24 июн 2014, 04:03 |
|
|
|
|
server Новичок
Зарегистрирован: |
Nikita писал(а): Писать подробности. ОС, веб-сервер. Переустановил — теперь другие ошибки, связанные с авторизацией… Вложения:
|
| 24 июн 2014, 04:27 |
|
|
|
|
Nikita V.I.P.
Зарегистрирован: |
Вы правили файлы вручную и сохранили их в неправильной кодировке. |
| 24 июн 2014, 20:02 |
|
| Показать сообщения за: Поле сортировки |
The action you have requested is not allowed.
Re: The action you have requested is not allowed.
|
|
Страница 1 из 1 | [ Сообщений: 5 ] |