We use CodeIgniter custom session data to handle our login (among many other things). Our settings are as follows:
$config['sess_cookie_name'] = 'danisession'; $config['sess_expiration'] = 0; $config['sess_expire_on_close'] = FALSE; $config['sess_encrypt_cookie'] = TRUE; $config['sess_use_database'] = FALSE; $config['sess_table_name'] = 'ci_sessions'; $config['sess_match_ip'] = FALSE; $config['sess_match_useragent'] = FALSE; $config['sess_time_to_update'] = 300; ... $config['csrf_protection'] = true; $config['csrf_token_name'] = 'csrf_token'; $config['csrf_cookie_name'] = 'csrf_cookie'; $config['csrf_expire'] = 7200;
We used to have
sess_match_useragent set to true, but had to change it to false because it was causing issues with certain useragents that were giving different useragent info on each page load.
Now, we are experiencing the issue where a clean installation of Windows 8 is throwing back the CSRF error message for an invalid or expired token upon submitting a post request.