Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
CSRF Error FuelPHP 1.8
  • KoolCoderKoolCoder
    Hi WanWizard,

    I have setup Ormauth all tables have been created. I then setup and admin with pages.

    When I goto admin and login using the default admin admin I'am getting this error!

    Error!
    Fuel\Core\SecurityException [ Error ]:
    CSRF validation failed, Possible hacking attempt detected!

    COREPATH/classes/security.php @ line 62

    57 if (\Config::get('security.csrf_autoload', true))
    58 {
    59 $check_token_methods = \Config::get('security.csrf_autoload_methods', array('post', 'put', 'delete'));
    60 if (in_array(strtolower(\Input::method()), $check_token_methods) and ! static::check_token())
    61 {
    62 throw new \SecurityException('CSRF validation failed, Possible hacking attempt detected!');
    63 }
    64 }
    65
    66 // throw an exception if the output filter setting is missing from the app config
    67 if (\Config::get('security.output_filter', null) === null)
    Backtrace

    COREPATH/classes/autoloader.php @ line 364
    COREPATH/classes/autoloader.php @ line 247
    COREPATH/classes/fuel.php @ line 181
    APPPATH/bootstrap.php @ line 30
    DOCROOT/index.php @ line 44

    Csrf is setup with my own key - also in chrome developer it shows that the cookie is there!
    Any idea why I would be getting this Error?

    Thank you
  • HarroHarro
    Accepted Answer
    I have changed the topic title, and moved the topic, because this has no relation with Ormauth at all.

    You can only get this if:
    - there is no csrf value in the posted data
    - there is a csrf value, but it doesn't match

    Since you say you have a valid cookie, are you use the csrf key is added to your form as a hidden field?
  • KoolCoderKoolCoder
    Hi WanWizard,

    You are right the CSRF hidden is missing in the form, this was generated using oil. Shouldn't oil have added the csrf key to the form, if I have it configured to use csrf in the config?

    Also what should I put in the form for this to work, the hidden key values?

    Thank you.

  • KoolCoderKoolCoder
    Ok, I got everything working now!

    Thank you for your time WanWizard.

  • HarroHarro
    No, it's up to you whether or not you want/need to use it.

    By default, security.csrf_autoload is false in the config, so it isn't checked.
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion