问题描述

我在CodeIgniter中有一个非常奇怪的CSRF保护问题。我已经确保我使用form_open启动我的表单，csrf_protection在配置文件中设置为true，我还确保隐藏的csrf名称和值字段匹配csrf cookie如下所示：。

I am having a very weird CSRF protection problem in CodeIgniter. I have made sure that I use form_open to start my form, csrf_protection is set to true in the config file, and I have also made sure that the hidden csrf name and value fields match the csrf cookie as seen here: http://d.pr/3cfB.

会发生什么情况，当我提交表单时，我收到发生错误，您请求的操作不被允许。错误，我不知道为什么。当我关闭csrf_protection时，表单工作正常。

What happens is that when I submit the form, I get "An Error Was Encountered. The action you have requested is not allowed." error and am not sure why. The form works fine when I turn the csrf_protection off.

更奇怪的是，我使用tank_auth库进行身份验证，并且还使用form_open作为登录表单。我做了检查，以确保在csrf_protection打开时，在登录表单中有一个隐藏的csrf字段，我可以提交表单和登录没有问题。

What's even weirder is that I use tank_auth library for my authentication and it also uses form_open for the login form. I did check to make sure that there is a hidden csrf field in the login form when csrf_protection is on and I was able to submit the form and log in with no problem.

推荐答案

我发现了问题。在我的一个自定义库中，我有parent :: _ sanitize_globals（），这显然是导致错误的原因。我读某处，如果我有xss过滤器打开，我不需要做sanitize全局。

I found the problem. In one of my custom libraries I have parent::_sanitize_globals() which apparently was what's causing the error. I read somewhere that if I have xss filtering turned on, I don't need to do sanitize global.

这篇关于CodeIgniter的CSRF令牌问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！