0

We use CodeIgniter custom session data to handle our login (among many other things). Our settings are as follows:

$config['sess_cookie_name']     = 'danisession';
$config['sess_expiration']      = 0;
$config['sess_expire_on_close'] = FALSE;
$config['sess_encrypt_cookie']  = TRUE;
$config['sess_use_database']    = FALSE;
$config['sess_table_name']      = 'ci_sessions';
$config['sess_match_ip']        = FALSE;
$config['sess_match_useragent'] = FALSE;
$config['sess_time_to_update']  = 300;

...

$config['csrf_protection'] = true;
$config['csrf_token_name'] = 'csrf_token';
$config['csrf_cookie_name'] = 'csrf_cookie';
$config['csrf_expire'] = 7200;    

We used to have sess_match_useragent set to true, but had to change it to false because it was causing issues with certain useragents that were giving different useragent info on each page load.

Now, we are experiencing the issue where a clean installation of Windows 8 is throwing back the CSRF error message for an invalid or expired token upon submitting a post request.

6
Contributors
19
Replies
37
Views
5 Years
Discussion Span
Last Post by Mark_k
Featured Replies
  • **@Dani** There's nothing wrong with your config. >What web browser? **IE** Read this: http://codeigniter.com/forums/viewthread/191009/ It's kinda hard to dupilcate the issue that you are having. You can try this: https://github.com/EllisLab/CodeIgniter/wiki/Native-session Is there something wrong with the website? I don't see any error? Read More

  • Oh, I'm sorry about that. I did't understand your question. Now I understand. Read More

  • 1
    cereal 1,524   5 Years Ago

    Try to remove the underscore from the CSRF cookie name: $config['csrf_cookie_name'] = 'csrfcookie'; From what I've read in the past, it seems that latests IE versions don't like it. Read More

0

I can't really debug this because I'm on a Mac, but for those experiencing the problem, can you answer the following:

  1. What web browser?
  2. Does the problem happen when submitting any DaniWeb form, including trying to search
  3. Does the problem happen on other CodeIgniter-based sites, such as http://codeigniter.com/forums/
2

Oh, I'm sorry about that. I did't understand your question. Now I understand.

0

Maybe a stupid question but is the token in the form the same as the token in the cookie?
Also, on page refresh, is the form token different every time?
It works on W7 - but you already know that.

0

What web browser?

All that were tried: IE10 and Chrome.

Does the problem happen when submitting any DaniWeb form, including trying to search

I didn't try. Sadly, the hard drive that I bought to house Windows 8 died last night...

Does the problem happen on other CodeIgniter-based sites, such as http://codeigniter.com/forums/

I didn't try, but that will be in my troubleshooting steps when I get a new hard drive and get the system back on its feet.

1

Try to remove the underscore from the CSRF cookie name:

$config['csrf_cookie_name'] = 'csrfcookie';

From what I've read in the past, it seems that latests IE versions don't like it.

0

Try to remove the underscore from the CSRF cookie name:

Missed that. I read that too. I was looking at the sessname cookie. +1

Edited by diafol

0

From what I've read in the past, it seems that latests IE versions don't like it.

I read that too on another forum, but supposedly it was tried to no success. What's weird is that there are people for which IE10 and Windows 8 work fine.

0

Another thing to try, that would explain why it works for one person and not another:

Try Internet Explorer Compatability mode both in IE10 mode and also in IE9 mode, and let me know if one works and the other doesn't.

0

Add in W7/IE9 (64-bit) : success

Add in W7/IE9 Compat (64-bit) : success

Consistent csrf token throughout compatibility switching through v9 and v8 and switching user agent string.

Sorry don't have IE10/W8. And I don't want to download the preview version.

This ain't a DNT issue is it?

Edited by diafol

0

Just an update, I got a new hard drive and installed Windows 8 again but this time without the SmartScreen filter enabled by default. I'm now posting from that installation, so there's something about that filter that boogers up our sessions.

Still a high priority issue though, given that SmartScreen is enabled in the default custom settings and the express install settings.

0

So SmartScreen is something that can be enabled/disabled on the fly for Internet Explorer, right? Why would that be affecting Chrome??

0

Apparently it's built into the OS too, but IE10 has a version to check URLs. I'm guessing the OS level filter affects other browsers too, otherwise I'd agree that it shouldn't affect Chrome.

0

So can you try flipping the switch on the OS-level one, and see if both browsers stop working?

0

Upon doing some more research, it appears that IE8 includes the SmartScreen filter. It turns out I've always had it enabled. So either MS has done some extensive changes to SmartScreen or something else is going on here.

0

The solution for me was this:

Edit application/config/user_agants.php and add 'windows nt 6.2' => 'Windows 8', to the $platforms array().

After that it should be safe to set $config['sess_match_useragent'] => true;

0

I've finally upgraded to Windows 8 and everything seems to be working for me without having made any changes. Odd??

0

Yeah, scratch what I said earlier. Turns out that the problem I was having was due to the IE 9 and 10 VMs that Microsoft released for testing all version of IE http://osxdaily.com/2011/09/04/internet-explorer-for-mac-ie7-ie8-ie-9-free/

I'm still not exactly sure why it was happening, but I did a lot of testing on the cookies and I was able to find out that the cookies were expiring 3 hours ahead of schedule even though they were being set correctly. Even the expiration date that was displayed in IE's developer tools was correct.

Timezone and server time are all set correctly so, again, I'm still not sure what the issue is here, but it's definitely confined within the VMs. Works fine otherwise.

If anyone else has any insight about this I would love to know.

Cheers.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.