What I want to do is to protect some sensitive forms from CSRF attack in codeigniter but not all pages.
To protect from CSRF if I set it in config.php it applies for all pages. is there any way to do that only for some pages by setting in controller?
$config['csrf_protection'] = TRUE;
You can do this by editing the config.php file
$config['csrf_protection'] = FALSE;
Step 1: create an array of pages that you want to protect
eg. $csrf_pages = array('login','test');
Step2: check if there is any request for the protected page then set it to TRUE;
if (isset($_SERVER["REQUEST_URI"])) {
foreach ($csrf_pages as $csrf_page){
if(stripos($_SERVER["REQUEST_URI"],$csrf_page) !== FALSE) {
$config['csrf_protection'] = TRUE;
break;
}
}
}
Step 3: add this to your views
<input type="hidden" name="<?php echo $this->security->get_csrf_token_name(); ?>" value="<?php echo $this->security->get_csrf_hash();?>" />
Or simply use the form_open() function to add the hidden CSRF token field automatically.
Now the CI3 have this feature, we can exclude the URIs in the config
http://www.codeigniter.com/userguide3/libraries/security.html?highlight=csrf#cross-site-request-forgery-csrf
$config['csrf_exclude_uris'] = array('api/person/add');
$config['csrf_exclude_uris'] = array(
'api/record/[0-9]+',
'api/title/[a-z]+'
);
For a more safer approach, you should switch on CSRF protection at all times and only exempt some pages you wish in an array in the config.php file.
$config['csrf_protection'] = TRUE;
Then set an array of links you wish to exempt from CSRF protection:
$csrf_off = array(
"/api",
"/api/example",
"/somelink/something/example"
);
Now turn those array links CSRF protection off.
if (isset($_SERVER["REQUEST_URI"])) {
if (in_array($_SERVER["REQUEST_URI"],$csrf_off)) {
$config['csrf_protection'] = FALSE;
}
}
Related
When I try to set csrf_protection in codeigniter to true
$this->config->set_item('csrf_protection', TRUE);
from the controller the token is not generated even if the value is really set to true and in the form the hidden input is set but with the native name value and not with the one I set
$this->config->set_item('csrf_cookie_name', 'cookie_direct')
like if the security library must be reloaded.
I can't use $config['csrf_ignore'] because I want the opposite, all the controllers on
$config['csrf_protection'] = FALSE;
or
$config['csrf_protection'] = true;
with AJAX when the user makes a choice.
Is there any solution?
I have some filters on a web page (checkboxes) and I modify the result list by ajax POST method. Is there a way that somehow I save the page state and send the URL link to someone so they open it in that state? Any help is appreciated.
By the way I'm using Laravel.
You can use parameters :
test.com/page?checkbox1=checked&checkbox2=checked
In your Laravel controller you can do this :
public function page($request) {
$checkboxes = array();
if ($request->has('checkbox1')) {
$checkboxes[] = true;
}
if ($request->has('checkbox2')) {
$checkboxes[] = true;
}
// ... and so on.
return view('page', compact('checkboxes'));
}
And set your php page like this :
<input type="checkbox" <?php checkboxes[$i++] ? 'checked' : '' ?> >
You can set the checkbox as parameter in the URL, and when the user go to your address, check if there is any of your params.
if so - set the checkboxes as you wish
just to get the general idea..
function getUrlParams(requested_param){
//check for params
return result;
}
if (getUrlParams(myCheckBox)){
$('#checkbox_on_page').prop( "checked", true );
}
I am in need to get widget options available in sidebars of WordPress theme.
I have built following code for accessing widget options through ajax.
add_action('wp_ajax_get_sidebar_widget_info', 'get_sidebar_widget_info');
add_action('wp_ajax_nopriv_get_sidebar_widget_info', 'get_sidebar_widget_info');
function get_sidebar_widget_info(){
header('Content-Type: application/Json');
global $wp_registered_widgets;
$response = array();
$sidebars_widget_list = get_option('sidebars_widgets');
unset($sidebars_widget_list['array_version']);
foreach($sidebars_widget_list as $sidebar_id => $widget_list){
foreach($widget_list as $widget_id){
$widget_option_name = $wp_registered_widgets[$widget_id]['callback'][0]->option_name;
$widget_number = $wp_registered_widgets[$widget_id]['params'][0]['number'];
$widget_options = get_option($widget_option_name);
$response[$sidebar_id]['widgets'][$widget_id] = $widget_options[$widget_number];
}
}
echo json_encode($response);
wp_die();
}
I am using joomla 2.5.9 version, and I would like Joomla to redirect me to the login page if I am not logged in when i click an article which the Permission Access is for Registered only, but instead Joomla returns me this message: You are not authorised to view this resource.
And I dont see any reason why joomla by default havent made it redirect to login page.
Thanks
This doesn't answer your exact question, but I think it's a good workaround. I'm working on the same issue. My approach at the moment is to check the messages for the "not authorised" string, and then set a flag based on that. You can then check that flag anywhere in template and either redirect, or just choose to optionally show the login form.`
/* get message from app */
$app = JFactory::getApplication();
$messages = $app->getMessageQueue();
/* set login flag to 0 */
$showlogin = 0;
/* if there is a message set... */
if (isset($messages[0])) {
/* loop through messages and check for the "not authorised" string */
foreach ($messages as $msg) {
if ($msg["type"] == "error" && strpos($msg["message"], "not authorised") ) {
/* if found, update login flag */
$showlogin = 1;
}
}
}
/* include in template body - you could redirect here instead of including login form */
if ($showlogin) { ?>
<jdoc:include type="modules" name="login-form" style="none" />
<?php } ?>
`
this happens when you try to access an article which is not visible, but the category is publically visible.
Seems like it is not considered a bug, but I think its a pretty unexpected "feature".
To fix this you can edit:
joomla/components/com_content/views/article/view.html.php
// Check the view access to the article (the model has already computed the values).
if ($item->params->get('access-view') == false && ($item->params->get('show_noauth', '0') == '0'))
{
$app->enqueueMessage(JText::_('JERROR_ALERTNOAUTHOR'), 'error');
$uri = urlencode(base64_encode(JURI::getInstance()->toString()));
JFactory::getApplication()->redirect(
JRoute::_('index.php?option=com_users&view=login&return='. $uri, false)
);
return;
}
This will show the login screen and return to the article after a succesfull login.
If you dont want to edit the core file (because you want to update your system), you have to create a system plugin to override this.
How to logout from all pages of view, when I click on logout link I just from only one page when I am trying to logout from another page its not work.
My controller code is:
public function do_login()
{
$this->user = $this->input->post('user_email',TRUE);
$this->pass = $this->input->post('user_pass',TRUE);
$this->pass=md5(sha1(sha1($this->pass)));
$u = new User();
$login_data = array('email' => $this->user, 'password' => $this->pass);
$u->where($login_data)->get();
if(!empty($u->id) && $u->id > 0 )
{
$_SESSION['user_id'] = $u->id;
$_SESSION['user_name']= $u->username;
$_SESSION['fullname']= $u->fullname;
$_SESSION['is_verefied'] = $u->active;
$_SESSION['user_email']= $u->email;
$u->lastlogin = time();
$u->save();
setcookie("logged", 1, time()+86400);
if(empty($_POST['referer']))
{
if(empty($_GET['referer']))
{
$url = "./";
}
else
{
$url = $_GET['referer'];
}
}
else
{
$url = $_POST['referer'];
}
redirect($url);
}
else
{
$this->template->set_layout('inner');
$this->template->build('login_view',$this->data);
}
}
public function logout()
{
setcookie("logged", 0, time()+86400);
$_COOKIE["logged"] = '';
$_SESSION['user_id'] = '';
$_SESSION['user_name']= '';
$_SESSION['fullname']= '';
$_SESSION['is_verefied'] = '';
$_SESSION['user_email']= '';
redirect('./home/index/logout');
}
When I logout from site, and click back from browser the user information session its not deleted.
The back button of your browser might get you to cached version of you page, cached from back when you were logged it. Also, I suggest you use CodeIgniter's sessions.
To make sure you're doing everything right.
Destroy the session:
$this->session->sess_destroy();
Clear the cookie, make sure you use the same domain as when you set it up, and that the time is set to past:
setcookie('logged', '', time()-3600); // minus one hour
This script will log the user out of all pages that have a session started on them. You know a page uses sessions if this code is at the top of the code for that page:
<?php session_start(); ?>
Logging out of a website is simply clearing any session data and then destroying it.
Try the following in your logout.php:
<?php
session_start();
// what were doing here is checking for any cookies used by the session.
//If there are any, we are going to delete the data with it.
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
//now lets unset the session and destroy it
session_unset();
session_destroy();
// for the redirect, we simple use the php header to send the redirect url to the browser
header("Location: login");
Make sure when using the header function that there is no output, caused by blank spaces or html. As a logout page, there should be no output anyways since navigating to the logout page should log the user out and immediately redirect.
I use this script on all my sites and it works great. Anywhere I want the logout link to appear, I just link to the page as such:
Logout
Just make a file called logout.php and put this code into it.
Hope this helps you!