Hey there

I am working into CI 2.0 beta. I have a simple form, which results in following error after sending:

An Error Was Encountered
The action you have requested is not allowed.

This error seems to be generated by Security.php. First I thought it has something to do with the CSRF-token which is generated by form_open(), so I wrote the html manually without token, but same result. What could trigger this behaviour?

Thx for any tipps
sl3dg3

When I set

it works - so yeah, it definitely has something to do with the csrf-token… :/

You are correct. The have finally finished this up in the latest update. When set to true, form_open() will add the hidden token value to the form. If you are creating the <form > tag manually, and have csrf set to TRUE, you will need to add this value in.

This gets a little tricky with some web services like Paypal/JSON/AJAX. If you try using IPN which POSTs data back, you will have problems. I found it best to create a whitelist of IP addresses to turn off the protection. Or use

Hmmmm. Not sure if I have the latest version (can’t find the download-link anymore), most probably not - as a matter of fact, it doesn’t work with form_open() and config set to true.

CI2 Download Link

pickupman - 12 August 2010 01:13 AM

This gets a little tricky with some web services like Paypal/JSON/AJAX. If you try using IPN which POSTs data back, you will have problems. I found it best to create a whitelist of IP addresses to turn off the protection.

Sorry to resurrect this, but I am having issues with Paypal IPNs using CI2 and wondered if this could relate. Where would you recommend implementing this whitelist? If I use the above code to disable the protection, is it ok to do it temporarily in my Paypal IPN handler, perform my operations, then re-enable the protection at the end without any issues?

Thanks!

I created a conditional statement in application/config/config.PHP and for turning csfr on and off based on IP address of the request.

pickupman - 12 August 2010 01:13 AM

... If you are creating the <form > tag manually, and have csrf set to TRUE, you will need to add this value in.

I stumbled on this via google when I had the same problem. I’m hard-coding my forms without the form helper, which means I miss out on including the token value. To do that, I included the following hidden input item:

Hope that helps someone! (Or maybe someone could point out any errors with this method?)

exactly what i was looking for, thanks.

I have a similar problem.
I have a method on a controller, that will receive $_POST data from an external webservice.
How can I disable CSRF only for this method?

I also tried $this->config->set_item(‘csrf_protection’, FALSE); 
but it doesnt work.

Thank you very much

Thank you so very very much! been wondering why my AJAX always returned an error :/

I also tried adding the $this->config->set_item(‘csrf_protection’,FALSE) but it didn’t work. Where did you place that?

Take a look at http://ellislab.com/forums/viewthread/182631/

The pre-system hook will work for me. Is there a reason the CSRF wasn’t checked in the form_validation->run()? That seemed like a reasonable place for it, allowing for individual form control as well.

The following code worked for me:

<input type=“hidden” name=”<?php echo $this->security->get_csrf_token_name()?>” value=”<?php echo $this->security->get_csrf_hash()?>” >

Hope it helps someone!

roark - 28 May 2011 09:09 PM

The following code worked for me:

<input type=“hidden” name=”<?php echo $this->security->get_csrf_token_name()?>” value=”<?php echo $this->security->get_csrf_hash()?>” >

Hope it helps someone!

thank you it helps

but you might better