codeigniter CSRF 错误:“不允许您请求的操作。”
Posted
技术标签:
【中文标题】codeigniter CSRF 错误:“不允许您请求的操作。”【英文标题】:codeigniter CSRF error: "The action you have requested is not allowed." 【发布时间】:2014-02-08 11:28:49 【问题描述】:我在 codeigniter 的配置文件中启用了 csrf_protection 选项,并使用 form_open() 函数来创建我的表单。但是当我提交表单时,就会出现这个错误:
您请求的操作不被允许。
我已经完成了类似这个主题的答案(与我的问题最相关):question
但他们没有工作,问题仍然存在。
我的 config.php:
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
/*
|--------------------------------------------------------------------------
| Base Site URL
|--------------------------------------------------------------------------
|
| URL to your CodeIgniter root. Typically this will be your base URL,
| WITH a trailing slash:
|
| http://example.com/
|
| If this is not set then CodeIgniter will guess the protocol, domain and
| path to your installation.
|
*/
$config['base_url'] = '';
/*
|--------------------------------------------------------------------------
| Index File
|--------------------------------------------------------------------------
|
| Typically this will be your index.php file, unless you've renamed it to
| something else. If you are using mod_rewrite to remove the page set this
| variable so that it is blank.
|
*/
$config['index_page'] = 'index.php';
/*
|--------------------------------------------------------------------------
| URI PROTOCOL
|--------------------------------------------------------------------------
|
| This item determines which server global should be used to retrieve the
| URI string. The default setting of 'AUTO' works for most servers.
| If your links do not seem to work, try one of the other delicious flavors:
|
| 'AUTO' Default - auto detects
| 'PATH_INFO' Uses the PATH_INFO
| 'QUERY_STRING' Uses the QUERY_STRING
| 'REQUEST_URI' Uses the REQUEST_URI
| 'ORIG_PATH_INFO' Uses the ORIG_PATH_INFO
|
*/
$config['uri_protocol'] = 'AUTO';
/*
|--------------------------------------------------------------------------
| URL suffix
|--------------------------------------------------------------------------
|
| This option allows you to add a suffix to all URLs generated by CodeIgniter.
| For more information please see the user guide:
|
| http://codeigniter.com/user_guide/general/urls.html
*/
$config['url_suffix'] = '';
/*
|--------------------------------------------------------------------------
| Default Language
|
--------------------------------------------------------------------------
|
| This determines which set of language files should be used. Make sure
| there is an available translation if you intend to use something other
| than english.
|
*/
$config['language'] = 'persian';
/*
|--------------------------------------------------------------------------
| Default Character Set
|--------------------------------------------------------------------------
|
| This determines which character set is used by default in various methods
| that require a character set to be provided.
|
*/
$config['charset'] = 'UTF-8';
/*
|--------------------------------------------------------------------------
| Enable/Disable System Hooks
|--------------------------------------------------------------------------
|
| If you would like to use the 'hooks' feature you must enable it by
| setting this variable to TRUE (boolean). See the user guide for details.
|
*/
$config['enable_hooks'] = FALSE;
/*
|--------------------------------------------------------------------------
| Class Extension Prefix
|--------------------------------------------------------------------------
|
| This item allows you to set the filename/classname prefix when extending
| native libraries. For more information please see the user guide:
|
| http://codeigniter.com/user_guide/general/core_classes.html
| http://codeigniter.com/user_guide/general/creating_libraries.html
|
*/
$config['subclass_prefix'] = 'MY_';
/*
|--------------------------------------------------------------------------
| Allowed URL Characters
|--------------------------------------------------------------------------
|
| This lets you specify with a regular expression which characters are permitted
| within your URLs. When someone tries to submit a URL with disallowed
| characters they will get a warning message.
|
| As a security measure you are STRONGLY encouraged to restrict URLs to
| as few characters as possible. By default only these are allowed: a-z 0-9~%.:_-
|
| Leave blank to allow all characters -- but only if you are insane.
|
| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
|
*/
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
/*
|--------------------------------------------------------------------------
| Enable Query Strings
|--------------------------------------------------------------------------
|
| By default CodeIgniter uses search-engine friendly segment based URLs:
| example.com/who/what/where/
|
| By default CodeIgniter enables access to the $_GET array. If for some
| reason you would like to disable it, set 'allow_get_array' to FALSE.
|
| You can optionally enable standard query string based URLs:
| example.com?who=me&what=something&where=here
|
| Options are: TRUE or FALSE (boolean)
|
| The other items let you set the query string 'words' that will
| invoke your controllers and its functions:
| example.com/index.php?c=controller&m=function
|
| Please note that some of the helpers won't work as expected when
| this feature is enabled, since CodeIgniter is designed primarily to
| use segment based URLs.
|
*/
$config['allow_get_array'] = TRUE;
$config['enable_query_strings'] = FALSE;
$config['controller_trigger'] = 'c';
$config['function_trigger'] = 'm';
$config['directory_trigger'] = 'd'; // experimental not currently in use
/*
|--------------------------------------------------------------------------
| Error Logging Threshold
|--------------------------------------------------------------------------
|
| If you have enabled error logging, you can set an error threshold to
| determine what gets logged. Threshold options are:
| You can enable error logging by setting a threshold over zero. The
| threshold determines what gets logged. Threshold options are:
|
| 0 = Disables logging, Error logging TURNED OFF
| 1 = Error Messages (including PHP errors)
| 2 = Debug Messages
| 3 = Informational Messages
| 4 = All Messages
|
| For a live site you'll usually only enable Errors (1) to be logged otherwise
| your log files will fill up very fast.
|
*/
$config['log_threshold'] = 0;
/*
|--------------------------------------------------------------------------
| Error Logging Directory Path
|--------------------------------------------------------------------------
|
| Leave this BLANK unless you would like to set something other than the default
| application/logs/ folder. Use a full server path with trailing slash.
|
*/
$config['log_path'] = '';
/*
|--------------------------------------------------------------------------
| Date Format for Logs
|--------------------------------------------------------------------------
|
| Each item that is logged has an associated date. You can use PHP date
| codes to set your own date formatting
|
*/
$config['log_date_format'] = 'Y-m-d H:i:s';
/*
|--------------------------------------------------------------------------
| Cache Directory Path
|--------------------------------------------------------------------------
|
| Leave this BLANK unless you would like to set something other than the default
| system/cache/ folder. Use a full server path with trailing slash.
|
*/
$config['cache_path'] = '';
/*
|--------------------------------------------------------------------------
| Encryption Key
|--------------------------------------------------------------------------
|
| If you use the Encryption class or the Session class you
| MUST set an encryption key. See the user guide for info.
|
*/
$config['encryption_key'] = 'bh#/Ib;pd<%+H0?ujvv9KLRc0LR-o8ot"K*so.J&4\qCQ+Ij81ih\d48fx5_';
/*
|--------------------------------------------------------------------------
| Session Variables
|--------------------------------------------------------------------------
|
| 'sess_cookie_name' = the name you want for the cookie
| 'sess_expiration' = the number of SECONDS you want the session to last.
| by default sessions last 7200 seconds (two hours). Set to zero for no expiration.
| 'sess_expire_on_close' = Whether to cause the session to expire automatically
| when the browser window is closed
| 'sess_encrypt_cookie' = Whether to encrypt the cookie
| 'sess_use_database' = Whether to save the session data to a database
| 'sess_table_name' = The name of the session database table
| 'sess_match_ip' = Whether to match the user's IP address when reading the session data
| 'sess_match_useragent' = Whether to match the User Agent when reading the session data
| 'sess_time_to_update' = how many seconds between CI refreshing Session Information
|
*/
$config['sess_cookie_name'] = 'ins_mngm_system';
$config['sess_expiration'] = 7200;
$config['sess_expire_on_close'] = TRUE;
$config['sess_encrypt_cookie'] = TRUE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name'] = 'user_sessions';
$config['sess_match_ip'] = TRUE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 300;
/*
|--------------------------------------------------------------------------
| Cookie Related Variables
|--------------------------------------------------------------------------
|
| 'cookie_prefix' = Set a prefix if you need to avoid collisions
| 'cookie_domain' = Set to .your-domain.com for site-wide cookies
| 'cookie_path' = Typically will be a forward slash
| 'cookie_secure' = Cookies will only be set if a secure HTTPS connection exists.
|
*/
$config['cookie_prefix'] = "";
$config['cookie_domain'] = "";
$config['cookie_path'] = "/";
$config['cookie_secure'] = TRUE;
/*
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
*/
$config['global_xss_filtering'] = TRUE;
/*
|--------------------------------------------------------------------------
| Cross Site Request Forgery
|--------------------------------------------------------------------------
| Enables a CSRF cookie token to be set. When set to TRUE, token will be
| checked on a submitted form. If you are accepting user data, it is strongly
| recommended CSRF protection be enabled.
|
| 'csrf_token_name' = The token name
| 'csrf_cookie_name' = The cookie name
| 'csrf_expire' = The number in seconds the token should expire.
*/
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'relt';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
/*
|--------------------------------------------------------------------------
| Output Compression
|--------------------------------------------------------------------------
|
| Enables Gzip output compression for faster page loads. When enabled,
| the output class will test whether your server supports Gzip.
| Even if it does, however, not all browsers support compression
| so enable only if you are reasonably sure your visitors can handle it.
|
| VERY IMPORTANT: If you are getting a blank page when compression is enabled it
| means you are prematurely outputting something to your browser. It could
| even be a line of whitespace at the end of one of your scripts. For
| compression to work, nothing can be sent before the output buffer is called
| by the output class. Do not 'echo' any values with compression enabled.
|
*/
$config['compress_output'] = FALSE;
/*
|--------------------------------------------------------------------------
| Master Time Reference
|--------------------------------------------------------------------------
|
| Options are 'local' or 'gmt'. This pref tells the system whether to use
| your server's local time as the master 'now' reference, or convert it to
| GMT. See the 'date helper' page of the user guide for information
| regarding date handling.
|
*/
$config['time_reference'] = 'local';
/*
|--------------------------------------------------------------------------
| Rewrite PHP Short Tags
|--------------------------------------------------------------------------
|
| If your PHP installation does not have short tag support enabled CI
| can rewrite the tags on-the-fly, enabling you to utilize that syntax
| in your view files. Options are TRUE or FALSE (boolean)
|
*/
$config['rewrite_short_tags'] = FALSE;
/*
|--------------------------------------------------------------------------
| Reverse Proxy IPs
|--------------------------------------------------------------------------
|
| If your server is behind a reverse proxy, you must whitelist the proxy IP
| addresses from which CodeIgniter should trust the HTTP_X_FORWARDED_FOR
| header in order to properly identify the visitor's IP address.
| Comma-delimited, e.g. '10.0.1.200,10.0.1.201'
|
*/
$config['proxy_ips'] = '';
/* End of file config.php */
/* Location: ./application/config/config.php */
控制器(main.php):
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
class Main extends CI_Controller
//public function __construct()
//
// $this->load->controller('access_controll');
//
public function index()
redirect('auth/login');
public function login()
public function registration()
$this->load->view('register');
public function forgot()
/* End of file main.php */
/* Location: ./application/controllers/main.php */
查看(login.php):
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="<?php echo base_url();?>template/img/favicon.png">
<title>ورود به حساب کاربری</title>
<!-- Bootstrap core CSS -->
<link href="<?php echo base_url();?>template/css/bootstrap.rtl.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="<?php echo base_url();?>template/style.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="js/html5shiv.js"></script>
<script src="js/respond.min.js"></script>
<![endif]-->
</head>
<body id="login">
<div class="login-content">
<div class="widget-content">
<h1>سامانه مدیریت مشتریان</h1>
<div class="alert alert-danger"><?php echo $message;?></div>
<?php echo form_open('auth/login', array('role'=>'form')); ?>
<div class="form-group">
<label for="identity">شناسه کاربری:</label>
<div class="input-group"> <span class="input-group-addon"><i class="glyphicon glyphicon-user"></i></span>
<?php echo form_input(array('name'=>'identity', 'type'=>'text', 'placeholder'=>'نام کاربری یا ایمیل', 'class'=>'form-control', 'id'=>'identity')); ?>
</div>
</div>
<div class="form-group">
<label for="pass">گذرواژه:</label>
<div class="input-group"> <span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i></span>
<?php echo form_input(array('name'=>'pass', 'type'=>'password', 'placeholder'=>'گذرواژه', 'class'=>'form-control')); ?>
</div>
</div>
<div class="checkbox">
<div class="col-sm-offset-1 col-sm-12">
<label>
<?php echo form_checkbox(array('name'=>'remember', 'value'=>1, 'type'=>'checkbox')); ?>
مرا به خاطر بسپار </label>
</div>
</div>
<div class="form-group">
<div class="col-sm-offset-1 col-sm-12">
<input type="submit" class="btn btn-default" value="ورود" />
</div>
</div>
<?php echo form_close(); ?>
<div class="forgot">
<ul class="list-unstyled">
<li> <i class="glyphicon glyphicon-chevron-left"></i> <a href="<?php echo site_url("main/registration");?>">ایجاد حساب کاربری جدید</a> </li>
<li> <i class="glyphicon glyphicon-chevron-left"></i> <a href="<?php echo site_url("main/forgot");?>">رمز عبور خود را فراموش کرده اید؟</a> </li>
</ul>
</div>
</div>
</div>
<!-- /.container -->
<!-- Bootstrap core javascript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
<script src="js/jquery.js"></script>
<script src="js/bootstrap.rtl.min.js"></script>
</body>
</html>
【问题讨论】:
你查到这个问题的答案了吗?***.com/questions/5367096/… 但我还没有使用任何库!只是我正在使用一个表单和我的控制器! 在此处发布相关代码(配置、控制器、视图)。 在表单的隐藏字段中检查您获得的令牌 @mojtaba 您在使用 HTTPS 连接吗?为什么将$config['cookie_secure'] 设置为TRUE?如果您使用的是 HTTP,请将其设置为 FALSE。
【参考方案1】:
这个解决方案解决的问题:
如果您使用的是 HTTP,请将配置文件中的
$config['cookie_secure']设置为 FALSE。
【讨论】:
HTTPS 出现同样问题,怎么办? @VBMali,您的表单中的 CSRF 字段丢失。要么放置它们,要么完全禁用 CSRF。 我也需要csrf保护【参考方案2】:只需将其包含在您的表单中,然后一切都会好起来的。
<input type="hidden" name="<?php echo $this->security->get_csrf_token_name();?>" value="<?php echo $this->security->get_csrf_hash();?>">
【讨论】:
【参考方案3】:对我来说最简单的方法是按照 CodeIgniter 用户指南 (here) 中的说明将 URI 列入白名单
选择的 URI 可以被列入 csrf 保护的白名单(例如 API 端点需要外部发布的内容)。您可以通过编辑“csrf_exclude_uris”配置参数来添加这些 URI:
$config['csrf_exclude_uris'] = array('api/person/add');
【讨论】:
请注意,这只是禁用 CSRF 保护 - 如果您真的想要 CSRF 保护,这不是一个解决方案。【参考方案4】:致所有尝试了此处建议的所有内容但仍然遇到此问题的人。
我的问题是 cookie 的过期时间。
$config['csrf_expire'] = 7200;
cookie 过期后用户尝试提交表单,他们会收到错误提示
The action you have requested is not allowed.
我为每个页面添加了一个简单的 javascript,它为 99% 的用户解决了这个问题。 (1% 的用户在浏览器中禁用了 JS)
setInterval(function ()
if(alert('Your session has expired!'))
else window.location.reload();
, 7200000);
【讨论】:
【参考方案5】:如果您在配置文件中的 $config['csrf_protection'] = true; 中允许 true,并且您还添加了我们无法使用的 autoload 表单。
步骤 1. 在 config 文件夹内自动加载文件上传表单助手
$autoload['helper'] = array('url', 'file','form');
第 2 步。
$config['csrf_protection'] = true;
步骤 3. 在视图文件夹中上传时
<?php echo form_open_multipart('admin/file_upload'); ?>
否则只能使用
$config['csrf_protection'] = false;
【讨论】:
【参考方案6】:在 config/config.php 我有
$config['csrf_token_name'] = 'my.token.name';
但是当我将 var_dump 用于 $_POST 时,我看到了:
["my_token_name"]=> string(32) "f5d78f8c8bb1800d10af59df8c302515"
CI 更改我的 csrf_token_name(原文如此!)
解决方案: 我变了
$config['csrf_token_name'] = 'my.token.name';
到
$config['csrf_token_name'] = 'my_token_name';
现在可以了。
【讨论】:
【参考方案7】:当所有其他方法都失败时,我注意到我设置了 cookie 变量、删除 cookie 名称等解决了我的问题。
【讨论】:
您能否扩展您的答案,使其更好地与问题相关? 为我修复了它。在本地开发服务器上突然出现错误,清除 cookie 有效【参考方案8】:我在 localhost 上工作时遇到了同样的问题,并在配置文件中启用了 csrf 令牌为 true。我尝试了 *** 上发布的所有解决方案,最后自己解决了。
我在 config.php 文件中更改了 Session Variables 并替换了以下代码
$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = NULL;
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;
与
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_expire_on_close'] = FALSE;
$config['sess_encrypt_cookie'] = FALSE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name'] = 'core_sessions';
$config['sess_match_ip'] = FALSE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 300;
然后,您将收到与数据库相关的错误表“.core_sessions”不存在,因为这次我们将会话存储在数据库中,因此您必须创建一个存储会话值的表,如下所示数据库中的 SQL 查询。
CREATE TABLE IF NOT EXISTS `core_sessions` ( `id` varchar(128) NOT NULL, `ip_address` varchar(45) NOT NULL, `timestamp` int(10) UNSIGNED NOT NULL DEFAULT 0, `data` blob NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8
如果您使用 form_open 辅助函数,那么您不必添加任何额外的东西,例如 csrf 令牌及其哈希值,而 HTML 表单要求您添加一个带有 csrf 令牌名称及其值的隐藏字段。
<input type="hidden"
name="<?php echo $this->security->get_csrf_token_name();?>"
value="<?php echo $this->security->get_csrf_hash();?>">
我希望这对您和即将到来的访客都有效。谢谢
【讨论】:
【参考方案9】:如果你设置了cookie域名,在配置中
$config['cookie_domain'] = 'xyz.com';
然后您使用 localhost 进行浏览。你会得到错误
您请求的操作不被允许
检查是否有帮助
【讨论】:
【参考方案10】:对于那些可能仍然对此有疑问的人,为了完整起见,我想添加更多信息。
我遇到了这个问题,虽然上面的一些答案很有帮助,但在处理 csrf 时还有一些其他的事情需要考虑。
从顶部开始,并使其尽可能简单。
如果您使用 autoload.php,我通常会加载这些。并非所有都需要纠正问题。
Autoload.php
$autoload['libraries'] = array('session','database','form_validation','user_agent', 'encryption');
$autoload['helper'] = array('url', 'file', 'form');
Config.php
$config['base_url'] = 'http://somesite.org:4848/'; // Port if ur running multiple servers same machine
$config['encryption_key'] = 'kidh743ty9fhw9afh4739hq978h'; //Get an encrypt key, make sure its set
//Sessions
$config['sess_driver'] = 'database';
$config['sess_cookie_name'] = '_ss_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = 'Sessions';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;
// Cookies
$config['cookie_prefix'] = '_ss_cookie';
$config['cookie_domain'] = '.somesite.org'; // No leading slash here, cookie will not set
$config['cookie_path'] = '/';
$config['cookie_secure'] = FALSE;
$config['cookie_httponly'] = FALSE;
// Global XSS - This is deprecated in version 3
$config['global_xss_filtering'] = FALSE;
// CSRF
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = '_ss_csrf_token';
$config['csrf_cookie_name'] = '_ss_csrf_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array();
控制器 - 处理 csrf 的最佳方法是使用重定向并设置闪存数据。
Register.php
<?php defined('BASEPATH') OR exit('No direct script access allowed');
class Register extends CI_Controller
function __construct()
parent::__construct();
public function index()
$this->load->view('auth/register');
public function validate()
$full_name = $this->input->post('full_name');
$email = $this->input->post('email');
$password = $this->input->post('password');
$password_again = $this->input->post('password_again');
$agree = $this->input->post('agree');
// do something here, then base your redirect on the response
$some_model_data = $this->register_model->validate($data);
if($this->input->is_ajax_request())
// echo a json response with the token
// Response array
// use javascript to add the new token to the form
$response = array(
'data' => $some_model_data,
'token'=> $this->security->get_csrf_hash();
);
// json response
echo json_encode($response);
else
// redirect to the page
$this->__validate_redirect($some_model_data);
private function __validate_redirect($where_to)
switch ($where_to->redirect)
case 'register_page':
redirect(base_url().'register/');
break;
case 'success':
redirect(base_url().'register/success');
break;
default:
redirect(base_url().'register/');
break;
?>
在视图中确保您使用:
<?php echo form_open(); ?>
这将设置 csrf 令牌或在表单中的隐藏输入中使用以下内容:
<?php echo $this->security->get_csrf_token_name(); ?>
这应该是大部分情况下防止 csrf 错误所需的全部内容。
【讨论】:
【参考方案11】:我在创建 csv_upload 表单时遇到此错误。 只需将此代码放入您的表单中即可。
<input type="hidden"
name="<?php echo $this->security->get_csrf_token_name();?>"
value="<?php echo $this->security->get_csrf_hash();?>">
【讨论】:
【参考方案12】:造成这种情况的原因有很多。
-
首先检查 htaccess 文件可能有一些错误代码,例如当您将项目复制到另一个域名时发生的无效域名。
在表单视图中检查 csrf 令牌。
检查
application/config/config.php $config['csrf_protection'] = true; 中的配置文件。
将其更改为 false 并再次检查是否存在问题。
如果这种情况仅发生在您的浏览器中,您可以清除浏览器中的缓存,如果发生在任何一个浏览器中,主机缓存也可以。
如果所有这些都为真,请检查此操作的控制器构造函数。
所有这些都将解决 99% 的问题,如果您之前更改过配置文件,您可能会对配置文件产生疑问。
【讨论】:
【参考方案13】:确保您的 BASE_URL 与您正在查看的 URL 匹配。我有两个别名(一个是为 oauth 创建的)并且该项目在两个别名上都可以工作,但是如果 BASE_URL 与浏览器中的 URL 不匹配,CSRF 将失败。
【讨论】:
【参考方案14】:我的配置:
$config['csrf_protection'] = true;
$config['csrf_token_name'] = 'csrf_token_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = false;
$config['csrf_exclude_uris'] = array();
表格:
<?php echo form_open_multipart('form/create'); ?>
我确实遇到了同样的问题。配置没有任何问题或任何与代码相关的错误。
(就我而言)
问题是表单的 URL 就像 http://localhost/project/form
但是表单提交给http://[::1]/project/form/create
问题根是生成 CSRF 令牌的域名和检查它们的域。只需将表单的 URL 更改为 http://[::1]/project/form 即可解决我的项目的问题。
这只是一个小解决方法,实际生产域中从未出现此问题
【讨论】:
【参考方案15】:如果您使用的是 Codeigniter 3.0 版,您可以执行以下操作:
改变
$config['csrf_regenerate'] = TRUE;
到
$config['csrf_regenerate'] = FALSE;
这会阻止 CSRF 在每次提交时重新生成令牌。
【讨论】:
【参考方案16】: // Items change base on category
$('#category_id').change(function()
var cat_id = $(this).val();
var csrf_hash = '<?php echo $this->security->get_csrf_hash();?>';
// AJAX request
$.ajax(
url:'getitems/'+r_type_id,
method: 'post',
protocol: 'https:',
data: category: cat_id, <?php echo $this->security->get_csrf_token_name();?>: csrf_hash,
dataType: 'json',
success: function(response)
// Remove options
$('#item_id').find('option').not(':first').remove();
// Add options
$.each(response,function(index,data)
$('#item_id').append('<option value="'+data['item_id']+'">'+data['item_name']+'</option>');
);
);
【讨论】:
这不是一个有用的答案。这是一个代码 sn-p,您没有提供任何关于正在发生的事情的解释,或者它如何解决问题中的原始问题。【参考方案17】:换行号451
$config['csrf_protection'] = true;
到
$config['csrf_protection'] = false;
因为csrf_protection 在CodeIgniter 中已弃用。
【讨论】:
如果 csrf 保护在 ci 中被弃用,那有什么办法?【参考方案18】:我找到了一个非常简单的解决方案。我用 csrf_protection 输入周围的 display:none 样式删除了 div。 div 不相关,因为输入类型设置为隐藏。 在 CodeIginiterFolder/system/helpers/form_helper.php 中,我更改了以下内容(大约第 75 行):
if (is_array($hidden) AND count($hidden) > 0)
$form .= sprintf("<div style=\"display:none\">%s</div>", form_hidden($hidden));
对于以下一个:
if (is_array($hidden) AND count($hidden) > 0)
$form .= form_hidden($hidden);
【讨论】:
以上是关于codeigniter CSRF 错误:“不允许您请求的操作。”的主要内容,如果未能解决你的问题,请参考以下文章
CodeIgniter 2,Ion Auth 在配置文件编辑时给出 CSRF 错误消息
Codeigniter (CSRF) jQuery ajax 问题