codeigniter CSRF error: “La acción que ha solicitado no está permitida”.

habilité la opción csrf_protection en el archivo de configuración codeigniter y usé la función form_open () para crear mis formularios. pero cuando envío el formulario, aparece este error:

The action you have requested is not allowed. 

He hecho las respuestas como este tema (que está más relacionado con mi pregunta): pregunta

pero no funcionaron y el problema aún permanece. config.php

 <?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); /* |-------------------------------------------------------------------------- | Base Site URL |-------------------------------------------------------------------------- | | URL to your CodeIgniter root. Typically this will be your base URL, | WITH a trailing slash: | | http://example.com/ | | If this is not set then CodeIgniter will guess the protocol, domain and | path to your installation. | */ $config['base_url'] = ''; /* |-------------------------------------------------------------------------- | Index File |-------------------------------------------------------------------------- | | Typically this will be your index.php file, unless you've renamed it to | something else. If you are using mod_rewrite to remove the page set this | variable so that it is blank. | */ $config['index_page'] = 'index.php'; /* |-------------------------------------------------------------------------- | URI PROTOCOL |-------------------------------------------------------------------------- | | This item determines which server global should be used to retrieve the | URI string. The default setting of 'AUTO' works for most servers. | If your links do not seem to work, try one of the other delicious flavors: | | 'AUTO' Default - auto detects | 'PATH_INFO' Uses the PATH_INFO | 'QUERY_STRING' Uses the QUERY_STRING | 'REQUEST_URI' Uses the REQUEST_URI | 'ORIG_PATH_INFO' Uses the ORIG_PATH_INFO | */ $config['uri_protocol'] = 'AUTO'; /* |-------------------------------------------------------------------------- | URL suffix |-------------------------------------------------------------------------- | | This option allows you to add a suffix to all URLs generated by CodeIgniter. | For more information please see the user guide: | | http://codeigniter.com/user_guide/general/urls.html */ $config['url_suffix'] = ''; /* |-------------------------------------------------------------------------- | Default Language | -------------------------------------------------------------------------- | | This determines which set of language files should be used. Make sure | there is an available translation if you intend to use something other | than english. | */ $config['language'] = 'persian'; /* |-------------------------------------------------------------------------- | Default Character Set |-------------------------------------------------------------------------- | | This determines which character set is used by default in various methods | that require a character set to be provided. | */ $config['charset'] = 'UTF-8'; /* |-------------------------------------------------------------------------- | Enable/Disable System Hooks |-------------------------------------------------------------------------- | | If you would like to use the 'hooks' feature you must enable it by | setting this variable to TRUE (boolean). See the user guide for details. | */ $config['enable_hooks'] = FALSE; /* |-------------------------------------------------------------------------- | Class Extension Prefix |-------------------------------------------------------------------------- | | This item allows you to set the filename/classname prefix when extending | native libraries. For more information please see the user guide: | | http://codeigniter.com/user_guide/general/core_classes.html | http://codeigniter.com/user_guide/general/creating_libraries.html | */ $config['subclass_prefix'] = 'MY_'; /* |-------------------------------------------------------------------------- | Allowed URL Characters |-------------------------------------------------------------------------- | | This lets you specify with a regular expression which characters are permitted | within your URLs. When someone tries to submit a URL with disallowed | characters they will get a warning message. | | As a security measure you are STRONGLY encouraged to restrict URLs to | as few characters as possible. By default only these are allowed: az 0-9~%.:_- | | Leave blank to allow all characters -- but only if you are insane. | | DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!! | */ $config['permitted_uri_chars'] = 'az 0-9~%.:_\-'; /* |-------------------------------------------------------------------------- | Enable Query Strings |-------------------------------------------------------------------------- | | By default CodeIgniter uses search-engine friendly segment based URLs: | example.com/who/what/where/ | | By default CodeIgniter enables access to the $_GET array. If for some | reason you would like to disable it, set 'allow_get_array' to FALSE. | | You can optionally enable standard query string based URLs: | example.com?who=me&what=something&where=here | | Options are: TRUE or FALSE (boolean) | | The other items let you set the query string 'words' that will | invoke your controllers and its functions: | example.com/index.php?c=controller&m=function | | Please note that some of the helpers won't work as expected when | this feature is enabled, since CodeIgniter is designed primarily to | use segment based URLs. | */ $config['allow_get_array'] = TRUE; $config['enable_query_strings'] = FALSE; $config['controller_trigger'] = 'c'; $config['function_trigger'] = 'm'; $config['directory_trigger'] = 'd'; // experimental not currently in use /* |-------------------------------------------------------------------------- | Error Logging Threshold |-------------------------------------------------------------------------- | | If you have enabled error logging, you can set an error threshold to | determine what gets logged. Threshold options are: | You can enable error logging by setting a threshold over zero. The | threshold determines what gets logged. Threshold options are: | | 0 = Disables logging, Error logging TURNED OFF | 1 = Error Messages (including PHP errors) | 2 = Debug Messages | 3 = Informational Messages | 4 = All Messages | | For a live site you'll usually only enable Errors (1) to be logged otherwise | your log files will fill up very fast. | */ $config['log_threshold'] = 0; /* |-------------------------------------------------------------------------- | Error Logging Directory Path |-------------------------------------------------------------------------- | | Leave this BLANK unless you would like to set something other than the default | application/logs/ folder. Use a full server path with trailing slash. | */ $config['log_path'] = ''; /* |-------------------------------------------------------------------------- | Date Format for Logs |-------------------------------------------------------------------------- | | Each item that is logged has an associated date. You can use PHP date | codes to set your own date formatting | */ $config['log_date_format'] = 'Ymd H:i:s'; /* |-------------------------------------------------------------------------- | Cache Directory Path |-------------------------------------------------------------------------- | | Leave this BLANK unless you would like to set something other than the default | system/cache/ folder. Use a full server path with trailing slash. | */ $config['cache_path'] = ''; /* |-------------------------------------------------------------------------- | Encryption Key |-------------------------------------------------------------------------- | | If you use the Encryption class or the Session class you | MUST set an encryption key. See the user guide for info. | */ $config['encryption_key'] = 'b{{h#/Ib;pd<%+H0?ujvv9KLRc0LR-o8ot"K*so.J&}4\qCQ+Ij81ih\d48fx5_'; /* |-------------------------------------------------------------------------- | Session Variables |-------------------------------------------------------------------------- | | 'sess_cookie_name' = the name you want for the cookie | 'sess_expiration' = the number of SECONDS you want the session to last. | by default sessions last 7200 seconds (two hours). Set to zero for no expiration. | 'sess_expire_on_close' = Whether to cause the session to expire automatically | when the browser window is closed | 'sess_encrypt_cookie' = Whether to encrypt the cookie | 'sess_use_database' = Whether to save the session data to a database | 'sess_table_name' = The name of the session database table | 'sess_match_ip' = Whether to match the user's IP address when reading the session data | 'sess_match_useragent' = Whether to match the User Agent when reading the session data | 'sess_time_to_update' = how many seconds between CI refreshing Session Information | */ $config['sess_cookie_name'] = 'ins_mngm_system'; $config['sess_expiration'] = 7200; $config['sess_expire_on_close'] = TRUE; $config['sess_encrypt_cookie'] = TRUE; $config['sess_use_database'] = TRUE; $config['sess_table_name'] = 'user_sessions'; $config['sess_match_ip'] = TRUE; $config['sess_match_useragent'] = TRUE; $config['sess_time_to_update'] = 300; /* |-------------------------------------------------------------------------- | Cookie Related Variables |-------------------------------------------------------------------------- | | 'cookie_prefix' = Set a prefix if you need to avoid collisions | 'cookie_domain' = Set to .your-domain.com for site-wide cookies | 'cookie_path' = Typically will be a forward slash | 'cookie_secure' = Cookies will only be set if a secure HTTPS connection exists. | */ $config['cookie_prefix'] = ""; $config['cookie_domain'] = ""; $config['cookie_path'] = "/"; $config['cookie_secure'] = TRUE; /* |-------------------------------------------------------------------------- | Global XSS Filtering |-------------------------------------------------------------------------- | | Determines whether the XSS filter is always active when GET, POST or | COOKIE data is encountered | */ $config['global_xss_filtering'] = TRUE; /* |-------------------------------------------------------------------------- | Cross Site Request Forgery |-------------------------------------------------------------------------- | Enables a CSRF cookie token to be set. When set to TRUE, token will be | checked on a submitted form. If you are accepting user data, it is strongly | recommended CSRF protection be enabled. | | 'csrf_token_name' = The token name | 'csrf_cookie_name' = The cookie name | 'csrf_expire' = The number in seconds the token should expire. */ $config['csrf_protection'] = TRUE; $config['csrf_token_name'] = 'relt'; $config['csrf_cookie_name'] = 'csrf_cookie_name'; $config['csrf_expire'] = 7200; /* |-------------------------------------------------------------------------- | Output Compression |-------------------------------------------------------------------------- | | Enables Gzip output compression for faster page loads. When enabled, | the output class will test whether your server supports Gzip. | Even if it does, however, not all browsers support compression | so enable only if you are reasonably sure your visitors can handle it. | | VERY IMPORTANT: If you are getting a blank page when compression is enabled it | means you are prematurely outputting something to your browser. It could | even be a line of whitespace at the end of one of your scripts. For | compression to work, nothing can be sent before the output buffer is called | by the output class. Do not 'echo' any values with compression enabled. | */ $config['compress_output'] = FALSE; /* |-------------------------------------------------------------------------- | Master Time Reference |-------------------------------------------------------------------------- | | Options are 'local' or 'gmt'. This pref tells the system whether to use | your server's local time as the master 'now' reference, or convert it to | GMT. See the 'date helper' page of the user guide for information | regarding date handling. | */ $config['time_reference'] = 'local'; /* |-------------------------------------------------------------------------- | Rewrite PHP Short Tags |-------------------------------------------------------------------------- | | If your PHP installation does not have short tag support enabled CI | can rewrite the tags on-the-fly, enabling you to utilize that syntax | in your view files. Options are TRUE or FALSE (boolean) | */ $config['rewrite_short_tags'] = FALSE; /* |-------------------------------------------------------------------------- | Reverse Proxy IPs |-------------------------------------------------------------------------- | | If your server is behind a reverse proxy, you must whitelist the proxy IP | addresses from which CodeIgniter should trust the HTTP_X_FORWARDED_FOR | header in order to properly identify the visitor's IP address. | Comma-delimited, eg '10.0.1.200,10.0.1.201' | */ $config['proxy_ips'] = ''; /* End of file config.php */ /* Location: ./application/config/config.php */ 

controlador (main.php):

 load->controller('access_controll'); //} public function index() { redirect('auth/login'); } public function login() { } public function registration() { $this->load->view('register'); } public function forgot() { } } /* End of file main.php */ /* Location: ./application/controllers/main.php */ 

view (login.php):

        <link rel="shortcut icon" href="template/img/favicon.png"> ورود به حساب کاربری  <link href="template/css/bootstrap.rtl.css" rel="stylesheet">  <link href="template/style.css" rel="stylesheet">             

El problema resuelto por esta Solución:

configura $config['cookie_secure'] en el archivo de configuración en FALSE si estás utilizando HTTP.

El más fácil para mí fue incluir en la lista blanca el URI como se explica en la Guía del usuario de CodeIgniter ( aquí )

Los URI seleccionados pueden incluirse en la lista blanca de la protección csrf (por ejemplo, puntos finales API que esperan contenido POSTed externamente). Puede agregar estos URI editando el parámetro de configuración ‘csrf_exclude_uris’:

 $config['csrf_exclude_uris'] = array('api/person/add'); 

Simplemente incluya esto en su formulario y todo estará bien entonces.

  

En config / config.php tengo

 $config['csrf_token_name'] = 'my.token.name'; 

Pero cuando uso var_dump para $ _POST veo:

  ["my_token_name"]=> string(32) "f5d78f8c8bb1800d10af59df8c302515" 

CI cambia mi csrf_token_name (sic!)

Solución: cambié

 $config['csrf_token_name'] = 'my.token.name'; 

a

 $config['csrf_token_name'] = 'my_token_name'; 

Ahora funciona.

Cuando todo lo demás falló, noté que tenía mis variables de cookies configuradas, eliminando el nombre de la cookie, etc. resolví mi problema.

Para todos los que probaron todo lo que se sugirió aquí, y todavía tiene este problema.

Mi problema fue el tiempo de vencimiento de la cookie.

 $config['csrf_expire'] = 7200; 

Después de que caduque la cookie y el usuario intente enviar un formulario, recibirá el error

 The action you have requested is not allowed. 

Agregué un javascript simple a cada página, que corrige el problema para el 99% de los usuarios. (el 1% son usuarios que tienen JS deshabilitado en su navegador)

 setInterval(function () { if(alert('Your session has expired!')){} else window.location.reload(); }, 7200000); 

En la configuración, si ha configurado el nombre de dominio de la cookie

 $config['cookie_domain'] = 'xyz.com'; 

y navegas usando localhost . obtendrás el error

La acción que ha solicitado no está permitida

comprueba que si ayuda

Asegúrese de que su BASE_URL coincida con la URL que está viendo. Tengo dos alias (uno fue creado para oauth) y el proyecto funciona en ambos alias, pero CSRF fallará si BASE_URL no coincide con la URL en el navegador.

si permite true en $config['csrf_protection'] = true; dentro del archivo de configuración y también está agregando un formulario de autoload que podemos usar.

Paso 1. dentro de la carpeta de configuración cargar automáticamente el formulario de carga de ayudante

 $autoload['helper'] = array('url', 'file','form'); 

Paso 2.

 $config['csrf_protection'] = true; 

Paso 3. durante la carga en la carpeta de visualización

  

De lo contrario, puede usar solo

 $config['csrf_protection'] = false; 

cambiar la línea no 451

 $config['csrf_protection'] = true; 

a

 $config['csrf_protection'] = false; 

Porque esta csrf_protection está en desuso en CodeIgniter .

EXCLUIR URL EN ARCHIVO CONFIG:

EJEMPLO:

 $config['csrf_exclude_uris'] = array('main/registration','main/login'); 

He encontrado una solución a este problema, que es bastante simple. Eliminé el div con la pantalla: no hay ningún estilo que rodee la entrada csrf_protection. El div no es relevante ya que el tipo de entrada está configurado como oculto. En CodeIginiterFolder / system / helpers / form_helper.php, cambié el siguiente contenido (alrededor de la línea 75):

 if (is_array($hidden) AND count($hidden) > 0) { $form .= sprintf("
%s
", form_hidden($hidden)); }

para el siguiente:

 if (is_array($hidden) AND count($hidden) > 0) { $form .= form_hidden($hidden); }