0

So I just discovered a crazy bug that has been keeping visitors of the Opera web browser from using DaniWeb.

Apparently there's a problem with CodeIgniter's CSRF protection that makes it not work with Opera, and I'm unsure of why. It works perfectly fine with IE, Firefox, Chrome, etc.

I am using form_open() to create my forms, so it is creating the csrf hidden input tag automatically.

I have the following configuration settings set in /application/config/config.php:

$config['sess_encrypt_cookie']  = TRUE;
$config['sess_use_database']    = FALSE;
$config['sess_match_ip']        = FALSE;
$config['sess_match_useragent'] = FALSE;

Can anyone help?

2
Contributors
9
Replies
10
Views
5 Years
Discussion Span
Last Post by diafol
0

Further reading suggests that this bug is related to a cookie domain not being the same as what's typed into the browser (for example, if the cookie domain is set to 127.0.0.1 and you try to access localhost).

So additional information:

$config['cookie_prefix']    = "";
$config['cookie_domain']    = "www.daniweb.com";
$config['cookie_path']      = "/";
$config['cookie_secure']    = FALSE;
0

Ah! The joys of CI! :)

Told you it was cheap! That's a new one on me though - thanks for sharing. Useful to know, although I've stopped using CI for the mo. I assume that was true for Opera Mini and the other mobile versions too? Ouch.

BTW, I was trying to use TamperMonkey to turn off the editor WYSIWYG, but the darned csrf of yours thwarted every effort. Bah! It has its uses then. :)

Edited by diafol

0

What on earth does the editor have to do with CSRF?? You mean the editor toolbar or the live preview? For the editor toolbar buttons, you just need the CSS:

div.editor-container div.wysiwyg { display: none; }

Disabling the live preview is going to be more complicated because you can set its display to none on page load, but the display property gets overwritten each time that you click into the editor. This is completely untested, but try setting its height to 1px. The height property never gets dynamically overwritten, so even if fancy Javascript is being used to show/hide it, it will remain just a single pixel in height.

Still completely unrelated to CSRF though.

0

I've already disabled the Live Preview (via Stylish). For the wysiwyg, I was using the id hook on the form and as it was constantly changing (obviously), so I gave up. Now you've mentioned the CSS solution, doh! :( Thanks for the tip Dani. No offence for all the hard work you've put into the UX/UI - just not my thing.

Anyway, enough of my nonsense - is the only fix for Opera to delete cookies?

//EDIT
Tried the fix, it deletes the toolbar but not the live wysiwyg. Will have a further look.

Edited by diafol

0

Right, the fix does remove the editor toolbar. And you said you already disabled the live preview. What else are you referring to??

0

The live styling in the editor itself. But hey no problem. I seem to have sent this thread off-piste. Apologies.

Edited by diafol

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.