EllisLab text mark
Advanced Search
“Disallowed Key Characters” because $_COOKIE were not cleared reasonable.
Posted: 05 January 2010 03:18 AM
Joined: 2009-04-29
2 posts


Yesterday I spent hours with the “Disallowed Key Characters” error message on my site. After went through some related topic in this forum, I’ve found the problem came from the $_COOKIE. I have the PHProxy 0.5b2 (you can find it on sourceforge.net) application running on my domain and enable the “Allow cookies to be stored” feature. The PHProxy’s cookie look like:


Notice there are “%” character in the key.
I looked at the system/libraries/Input.php and found these lines did not help me get rid of silly COOKIEs


I managed to improve the code a bit:

$CFG =& load_class('Config');
$cook_key array_keys($_COOKIE);
$safe_cook_key = array( '__utm',                        //google analytics
$cook_key as $val)
if(substr_compare($val$safe_cook_key[0],0strlen($safe_cook_key[0]))!=&& substr_compare($val$safe_cook_key[1],0strlen($safe_cook_key[0]))!=0)

And the result is nice to me. The stranger’s cookies were gone.

Do you guys think it’s a bug of Input.php? And i’m appreciate if s/o show me a better solution.

Thanks and regards,

Posted: 24 November 2010 12:45 PM   [ # 1 ]   [ Rating: 0 ]
Joined: 2010-11-24
1 posts

Thank you!
I had a problem where a client is hosting multiple sites on 1 domain and some of the other domain cookies are leaking into ours and causing the “Disallowed Key Characters” error message.

I used a refined version of the above (removing only a particular cookie), Thanks again!

Posted: 08 February 2011 05:57 AM   [ # 2 ]   [ Rating: 0 ]
Joined: 2010-12-25
20 posts

Hey all,

This an interesting solution, but it requires to change a CodeIgniter’s component, which is impossible on my setup.

It may be explained in other threads already… I dunno. However, I don’t see any link and I’ve no time to search, sorry.

So, if you cannot apply this fix you should check the name of your form fields. They all have to match a specific regular expression. With CodeIgniter 1.7.3, in file “system/libraries/Input.php” function _clean_input_keys($str) starts at line 215 and contains :

if ( ! preg_match("/^[a-z0-9:_\/-]+$/i"$str))
exit('Disallowed Key Characters.');

Take it easy !

Posted: 08 February 2011 08:47 AM   [ # 3 ]   [ Rating: 0 ]
Joined: 2009-06-19
6706 posts

Let me know how this works out for you all, when you have to
upgrade to a new version of CodeIgniter!

You should never ever modify a CodeIgniter core file!



Certified State of CT Computer Programming Teacher.
Custom Designed Icons, eBook Covers Software Boxes. CD, DVD Etc. New iPhone® Tab Bar Icons and iPhone® Applications Icons.

Skype: insitfx

STOP! Before posting your questions, remember the WWW Golden rule:
What did you try? What did you get? What did you expect to get?

Input -> Controller | Processing -> Model | Output -> View

Posted: 25 March 2011 10:19 AM   [ # 4 ]   [ Rating: 0 ]
Joined: 2011-02-03
3 posts

Hi All,
I am new to codeigniter, suffering from the same problem ‘Disallowed Key Characters. Whenever I try to submit form’, I am using codeigniter 2.0.1 on xampp server.
Please help!

Posted: 21 July 2011 11:11 AM   [ # 5 ]   [ Rating: 0 ]
Joined: 2011-07-21
2 posts

There is no problem with CI input library. I have done over 20 projects with both the 2.02 and older version and whenever I encounter such errors I try to figure it out in my code.
Example of a syntax error that generated the ‘Disallowed Key Characters’ message was:

<input type=“text” name=idno_tf” />

The correct format should be:
<input type=“text” name=“idno_tf” />

Note: the “” enclosing idno_tf(Thats the difference);
I strongly object one to change the system files, you better use an older version if you feel the one you are using has a bug.

Just look a bit harder and testing every component well. You will certainly find where you went wrong.

Posted: 25 July 2011 09:34 AM   [ # 6 ]   [ Rating: 0 ]
Joined: 2010-07-21
6 posts
Felix Cheruiyot - 21 July 2011 03:11 PM

There is no problem with CI input library.

I’m affraid ther is one in the special case Doan DU explained.

The best way to get rid of that is to erase the cookies from the domain where you have php proxy installed.

Or maybe we could override the Input class but that’s not for me.

Posted: 25 July 2011 09:42 AM   [ # 7 ]   [ Rating: 0 ]
Joined: 2011-07-25
1 posts

Good one..

Posted: 13 December 2011 10:50 PM   [ # 8 ]   [ Rating: 0 ]
Joined: 2011-07-28
13 posts

Hi, CI Community -

I too was having a problem with “Disallowed Key Characters” due to $_COOKIE array issues.  I found an elegant solution to this, and I’d like to share it with you.

The answer lies in the Session Variables section of the config.php file.  Instead of:




It appears that an encrypted cookie contains acceptable characters for CI processing while an unencrypted cookie contains characters considered unacceptable for CI processing.

In my humble and unprofessional opinion, a cookie should be readily processed by CI regardless of its encryptedness.
Warm Regards,

X Johnson

Posted: 16 August 2012 07:14 AM   [ # 9 ]   [ Rating: 0 ]
Joined: 2009-06-21
2 posts

The only solution that worked for me was the first one that Doan Du posted, but there was still a big problem after I used it -> the sessions does not work anymore. So I am not using that solution anymore. Anyway, thank you for your help.

My problem was that I have installed the same script on two diffrent domains and I used the same “sess_cookie_name”


for both of them.

Now I’m using different names on each domain and I have no problems.


Posted: 15 October 2013 04:28 AM   [ # 10 ]   [ Rating: 0 ]
Joined: 2012-11-02
1 posts

Not sure if this will help anybody but I was formatting a cURL request with this little piece which only started working when I started using rawurlencode().  I was receiving the “DISALLOWED KEY CHARACTERS” error prior to encoding the cookie values.  No core modifications were required:

$cookies = array();
$_COOKIE as $cookie_name => $cookie_value {
$cookie_name ."="rawurlencode($cookie_value);
$cookie_string implode("; "$cookies);


Posted: 19 June 2014 04:35 PM   [ # 11 ]   [ Rating: 0 ]
Joined: 2009-12-30
56 posts

Took a while to figure this one out. Seems most of us missed the obvious error…the last “-” is not escaped.

Adding the \. and | as I’ve seen other suggest may work for you, but the regex was supposed to be:

if ( ! preg_match("/^[a-z0-9:_\/\-\.|]+$/i"$str))