Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
CSRF Error FuelPHP 1.8
  • Hi WanWizard,

    I have setup Ormauth all tables have been created. I then setup and admin with pages.

    When I goto admin and login using the default admin admin I'am getting this error!

    Error!
    Fuel\Core\SecurityException [ Error ]:
    CSRF validation failed, Possible hacking attempt detected!

    COREPATH/classes/security.php @ line 62

    57 if (\Config::get('security.csrf_autoload', true))
    58 {
    59 $check_token_methods = \Config::get('security.csrf_autoload_methods', array('post', 'put', 'delete'));
    60 if (in_array(strtolower(\Input::method()), $check_token_methods) and ! static::check_token())
    61 {
    62 throw new \SecurityException('CSRF validation failed, Possible hacking attempt detected!');
    63 }
    64 }
    65
    66 // throw an exception if the output filter setting is missing from the app config
    67 if (\Config::get('security.output_filter', null) === null)
    Backtrace

    COREPATH/classes/autoloader.php @ line 364
    COREPATH/classes/autoloader.php @ line 247
    COREPATH/classes/fuel.php @ line 181
    APPPATH/bootstrap.php @ line 30
    DOCROOT/index.php @ line 44

    Csrf is setup with my own key - also in chrome developer it shows that the cookie is there!
    Any idea why I would be getting this Error?

    Thank you
  • HarroHarro
    Accepted Answer
    I have changed the topic title, and moved the topic, because this has no relation with Ormauth at all.

    You can only get this if:
    - there is no csrf value in the posted data
    - there is a csrf value, but it doesn't match

    Since you say you have a valid cookie, are you use the csrf key is added to your form as a hidden field?
  • Hi WanWizard,

    You are right the CSRF hidden is missing in the form, this was generated using oil. Shouldn't oil have added the csrf key to the form, if I have it configured to use csrf in the config?

    Also what should I put in the form for this to work, the hidden key values?

    Thank you.

  • Ok, I got everything working now!

    Thank you for your time WanWizard.

  • No, it's up to you whether or not you want/need to use it.

    By default, security.csrf_autoload is false in the config, so it isn't checked.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion