I enabled csrf_protection option in codeigniter configuration file, and used form_open() function to create my form. but when I submit the form, this error occurs:
The action you have requested is not allowed
As usual, I asked this to mbah google, and the topic related to the error turned out to have been reviewed on stackoverflow. It explained that there was a problem with the CSRF CodeIgniter settings section in the config.php file, and I also just remembered that 2 days earlier I had changed the settings to "TRUE" mode.
/*
|--------------------------------------------------------------------------
| Cross Site Request Forgery
|--------------------------------------------------------------------------
| Enables a CSRF cookie token to be set. When set to TRUE, token will be
| checked on a submitted form. If you are accepting user data, it is strongly
| recommended CSRF protection be enabled.
|
| 'csrf_token_name' = The token name
| 'csrf_cookie_name' = The cookie name
| 'csrf_expire' = The number in seconds the token should expire.
*/
$config['csrf_protection'] = TRUE; //<-- Kesalahan saya adalah tidak tau alasan mengubahnya menjadi "TRUE"
$config['csrf_token_name'] = 'relt';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;finally i returned to default setting to "FALSE". The result is solved, i can post again.
Netizens
Comment 1
Sorry, is the site still safe if it is made false? I also experienced this on my office website.
Response 1
CodeIgniter documentation explains that CSRF is used to filter input fields on forms, by activating CSRF (making it TURE), then the default CSRF regular expression rules will apply, meaning that only the specified character types are allowed, as below.
$config['csrf_exclude_uris'] = array(
'api/record/[0-9]+',
'api/title/[a-z]+'
);Actually, this method can also be done on the client side (front end), using the pattern attribute. It's just easy for a hacker to manipulate this. Therefore, it is necessary to anticipate more to overcome this kind of thing, so CI provides the config to overcome it here on the backend, layered security like this is highly recommended.
Now, back to the case at hand. For example, in this case, the user who can input javascript syntax is the admin (to create a post) which means that to be able to get the feature, you have to go through the user level rule, here I have handled it enough. So no one can input javascript except me.
Second, on the client side, I have used markdown to filter all forms of input from client comments. In markdown, there is no opportunity to input JavaScript syntax, because everything will be converted into markdown syntax.
So I made it FALSE, because for personal reasons, if you are dealing with client applications, it is a good idea to follow the security recommendations from CI.
That is all and thank you.
If you still haven't found the reference..
I have the reference, you just need to replace your html input form with the codeigniter input form
<?= form_open('login'); ?>
ilhamcode