Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
CSRF and Apache Configuration conflicts. #1492
Issue / Question / Bug
Before submitting an issue please make sure you tick (add an x between the square brackets with no spaces) the following check boxes:
This issue was originally referenced in #1488 but since that is about a different problem, I thought i'd create a new issue in case anyone else runs into the problem.
With CSRF enabled (by default) be able to login to app.
I get an error telling me "The action you requested is not allowed" upon submitting my username and password. In, my case this is caused by the line
The solution is to comment out that line in httpd.conf if you have access to it. There may also be a way to correct it in .htaccess files, but I haven't looked into it.
Steps to reproduce the issue
I've already resolved the issue, but I'm posting it in case anyone else runs into the issue.
Hmm might be better to add this to the FAQ (Readme.md) or wiki, as we always refer to those in case 'common' problems occur. But I must admit that this is the first bug report on this one..
So I thought my issues with CSRF were limited to the login, but I'm finding that it's also blocking saving data in the app config. When CSRF is turned off it works fine, but when it's enabled it fails. I'm going to try to compare configurations with my shared hosting web server and the hardened server to see if I can figure out why CodeIgniter CSRF is being triggered even with that line commented out of my httpd.conf. I have mod_security in DetectionOnly and Suhosin in simulation mode. I've already commented out my open_basedir and disable_functions in php.ini but it still persists. I might go over to the CI forums and see if I can find anyone with similar issues in their server config.
FINALLY! If php.ini contains
This should be added to a FAQ, wiki or troubleshooting guide as anyone with suhosin running is liable to run into this and
This issue can be closed once we figure out the best place to document the issue for future people.