I'm having this rest password code which is copied from the original code

public function _get_csrf_nonce()
{
    $this->load->helper('string');
    $key = random_string('alnum', 8);
    $value = random_string('alnum', 20);
    $this->session->set_flashdata('csrfkey', $key);
    $this->session->set_flashdata('csrfvalue', $value);

    return [$key => $value];
}

public function _valid_csrf_nonce(){
    $csrfkey = $this->input->post($this->session->flashdata('csrfkey'));
    if ($csrfkey && $csrfkey === $this->session->flashdata('csrfvalue'))
    {
        return TRUE;
    }
    return FALSE;
}

public function reset_password($code = NULL)
{
  $this->lang->load('auth');

  if (!$code)
    {
        show_404();
    }

    $this->data['title'] = $this->lang->line('reset_password_heading');

    $user = $this->ion_auth->forgotten_password_check($code);

    if ($user)
    {

        $this->form_validation->set_rules('new', $this->lang->line('reset_password_validation_new_password_label'), 'required|min_length[' . $this->config->item('min_password_length', 'ion_auth') . ']|matches[new_confirm]');
        $this->form_validation->set_rules('new_confirm', $this->lang->line('reset_password_validation_new_password_confirm_label'), 'required');

        if ($this->form_validation->run() === FALSE)
        {
            $this->data['message'] = (validation_errors()) ? validation_errors() : $this->session->flashdata('message');

            $this->data['min_password_length'] = $this->config->item('min_password_length', 'ion_auth');
            $this->data['new_password'] = [
                'name' => 'new',
                'id' => 'new',
                'type' => 'password',
        'class' => "form-control",
                'pattern' => '^.{' . $this->data['min_password_length'] . '}.*$',
            ];
            $this->data['new_password_confirm'] = [
                'name' => 'new_confirm',
                'id' => 'new_confirm',
                'type' => 'password',
        'class' => "form-control",
                'pattern' => '^.{' . $this->data['min_password_length'] . '}.*$',
            ];
            $this->data['user_id'] = [
                'name' => 'user_id',
                'id' => 'user_id',
                'type' => 'hidden',
                'value' => $user->id,
            ];
            $this->data['csrf'] = $this->_get_csrf_nonce();

            $this->data['code'] = $code;

            $this->load->view('reset_password', $this->data);
        }
        else
        {
            $identity = $user->{$this->config->item('identity', 'ion_auth')};

            if ($this->_valid_csrf_nonce() === FALSE || $user->id != $this->input->post('user_id'))
            {

        echo $this->session->flashdata('csrfkey').' - '.$this->session->flashdata('csrfvalue');

                // something fishy might be up
                //$this->ion_auth->clear_forgotten_password_code($identity);

                //show_error($this->lang->line('error_csrf'));

            }
            else
            {
                // finally change the password
                $change = $this->ion_auth->reset_password($identity, $this->input->post('new'));

                if ($change)
                {
                    // if the password was successfully changed
                    $this->session->set_flashdata('message', $this->ion_auth->messages());
                    redirect("home/login", 'refresh');
                }
                else
                {
                    $this->session->set_flashdata('message', $this->ion_auth->errors());
                    redirect('home/reset_password/' . $code, 'refresh');
                }
            }
        }
    }
    else
    {
        // if the code is invalid then send them back to the forgot password page
        $this->session->set_flashdata('message', $this->ion_auth->errors());
        redirect("home/forgot_password", 'refresh');
    }
}

The view which is the same as the original auth view:

<?php echo form_open('home/reset_password/'.$code); ?>
<?php echo form_input($user_id);?>
<?php echo form_hidden($csrf); ?>
<div class="body bg-gray">
   <div class="form-group">
        <label for="password">* Password</label>
        <?=form_input($new_password)?>
   </div>
   <div class="form-group">
        <label for="password">* Confirm Password</label>
        <?=form_input($new_password_confirm)?>
   </div>

 </div>
 <div class="footer">
       <button type="submit" class="login_btn">Change</button>
 </div>
<?=form_close()?>

But I always get the security check error and when I print the session of the csrf i find it empty after sending the post request though it does exist in the form and not empty. similar code works fine with other forms and security check is passed but still having the issue here.

0 Answers