So I just discovered a crazy bug that has been keeping visitors of the Opera web browser from using DaniWeb.

Apparently there's a problem with CodeIgniter's CSRF protection that makes it not work with Opera, and I'm unsure of why. It works perfectly fine with IE, Firefox, Chrome, etc.

I am using form_open() to create my forms, so it is creating the csrf hidden input tag automatically.

I have the following configuration settings set in /application/config/config.php:

$config['sess_encrypt_cookie']  = TRUE;
$config['sess_use_database']    = FALSE;
$config['sess_match_ip']        = FALSE;
$config['sess_match_useragent'] = FALSE;

Can anyone help?

Recommended Answers

All 9 Replies

Further reading suggests that this bug is related to a cookie domain not being the same as what's typed into the browser (for example, if the cookie domain is set to and you try to access localhost).

So additional information:

$config['cookie_prefix']    = "";
$config['cookie_domain']    = "";
$config['cookie_path']      = "/";
$config['cookie_secure']    = FALSE;

Found the cause of the bug :)

It's because a few months ago, I changed one of the values in the configuration file. Apparently since that point, everyone will get a weird CSRF error from CodeIgniter until they clear their cookies.

COMPLETELY impractical.

commented: thank you for sharing! +8
Member Avatar

Ah! The joys of CI! :)

Told you it was cheap! That's a new one on me though - thanks for sharing. Useful to know, although I've stopped using CI for the mo. I assume that was true for Opera Mini and the other mobile versions too? Ouch.

BTW, I was trying to use TamperMonkey to turn off the editor WYSIWYG, but the darned csrf of yours thwarted every effort. Bah! It has its uses then. :)

What on earth does the editor have to do with CSRF?? You mean the editor toolbar or the live preview? For the editor toolbar buttons, you just need the CSS:

div.editor-container div.wysiwyg { display: none; }

Disabling the live preview is going to be more complicated because you can set its display to none on page load, but the display property gets overwritten each time that you click into the editor. This is completely untested, but try setting its height to 1px. The height property never gets dynamically overwritten, so even if fancy Javascript is being used to show/hide it, it will remain just a single pixel in height.

Still completely unrelated to CSRF though.

Member Avatar

I've already disabled the Live Preview (via Stylish). For the wysiwyg, I was using the id hook on the form and as it was constantly changing (obviously), so I gave up. Now you've mentioned the CSS solution, doh! :( Thanks for the tip Dani. No offence for all the hard work you've put into the UX/UI - just not my thing.

Anyway, enough of my nonsense - is the only fix for Opera to delete cookies?

Tried the fix, it deletes the toolbar but not the live wysiwyg. Will have a further look.

Right, the fix does remove the editor toolbar. And you said you already disabled the live preview. What else are you referring to??

Member Avatar

The live styling in the editor itself. But hey no problem. I seem to have sent this thread off-piste. Apologies.

Start a new thread and I'll help ya.

Member Avatar

Honestly Dani - I love you. I'm not worthy :). I'll start a nod thread.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.