CSRFProtector PHP library won't submit any form data

2.1k views Asked by At

I am using the CSRFProtector library for PHP (https://github.com/mebjas/CSRF-Protector-PHP) and as soon as I turn it on all forms stop submitting and I get an error:

403 Access Forbidden by CSRFProtector!

My config file contains:

return array(
    "CSRFP_TOKEN" => "ctkn",
    "logDirectory" => "log",
    "failedAuthAction" => array(
        "GET" => 0,
        "POST" => 0),
    "errorRedirectionPage" => "",
    "customErrorMessage" => "",
    "jsPath" => "js/csrfprotector.js",
    "jsUrl" => "ABS PATH TO js/csrfprotector.js",
    "tokenLength" => 10,
    "disabledJavascriptMessage" => "",
     "verifyGetFor" => array()
);

and the log file for CSRF shows:

{"timestamp":1433842328,"HOST":"MYDOMAIN.COM","REQUEST_URI":"\/add","requestType":"POST",
"query":{"title":"234","date":"08\/06\/2015","submit":""},
"cookie":{"ctkn":"3c8c7dfebc","__insp_uid":"1173752613",
"PHPSESSID":"SESSION_ID","_ok":"3274-991-10-2674","__utma":"98457856.2008088440.1420840286.1431630284.1432025914.10",
"__utmc":"98457856","__utmz":"98457856.1429793890.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)","__insp_wid":"801086210",
"__insp_nv":"false","__insp_ref":"aHR0cHM6Ly93d3cubmF0dXJhbGhyLm5ldC9sb2dpbg==",
"__insp_identity":"33101","__insp_norec_sess":"true","__insp_slim":"1433237660812",
"mp_3a3715a3d0ca553aea5e93832d489346_mixpanel":"{\"distinct_id\": \"14adaecc111146-0576c4449-63161675-232800-14adaecc1122e6\",
\"$initial_referrer\": \"$direct\",\"$initial_referring_domain\": \"$direct\"}",
"_okbk":"cd5=available,cd4=true,vi5=0,vi4=1433789710017,vi3=active,vi2=false,vi1=false,
cd8=chat,cd6=0,cd3=false,cd2=0,cd1=0,","_gat":"1","_ga":"GA1.2.2008088440.1420840286",
"_oklv":"1433842325615,1q2TBnOvCYwsP8Vp452Bb0OMFOHE0QN6","olfsk":"olfsk31493824627250433",
"_okac":"96642aff6954f6ce73ba12dfbb632117","_okla":"1","wcsid":"1q2TBnOvCYwsP8Vp452Bb0OMFOHE0QN6",
"hblid":"BpAXj2n915tZ7ULn452Bb0OMFPI1k134"}}

Can anyone tell me why this is failing? What do I need to do to allow this genuine request but still stop any illicit ones?

2

There are 2 answers

0
Hardik On

you have changes CSRFP_TOKEN in config file, so you need to change in js file too.. i.e. CSRFP_TOKEN: 'ctkn'

0
Matrix On

For me, the problem was that I'm using a bootstrap confirmation modal to confirm before submitting the forum. When I checked the $_POST object, I found that it doesn't include the csrf_token.

You might have the same problem.