We use CodeIgniter custom session data to handle our login (among many other things). Our settings are as follows:

$config['sess_cookie_name']     = 'danisession';
$config['sess_expiration']      = 0;
$config['sess_expire_on_close'] = FALSE;
$config['sess_encrypt_cookie']  = TRUE;
$config['sess_use_database']    = FALSE;
$config['sess_table_name']      = 'ci_sessions';
$config['sess_match_ip']        = FALSE;
$config['sess_match_useragent'] = FALSE;
$config['sess_time_to_update']  = 300;

...

$config['csrf_protection'] = true;
$config['csrf_token_name'] = 'csrf_token';
$config['csrf_cookie_name'] = 'csrf_cookie';
$config['csrf_expire'] = 7200;    

We used to have sess_match_useragent set to true, but had to change it to false because it was causing issues with certain useragents that were giving different useragent info on each page load.

Now, we are experiencing the issue where a clean installation of Windows 8 is throwing back the CSRF error message for an invalid or expired token upon submitting a post request.

I can't really debug this because I'm on a Mac, but for those experiencing the problem, can you answer the following:

  1. What web browser?
  2. Does the problem happen when submitting any DaniWeb form, including trying to search
  3. Does the problem happen on other CodeIgniter-based sites, such as http://codeigniter.com/forums/

LastMitch, the problem is related to CSRF, not sessions.

Member Avatar for LastMitch

Oh, I'm sorry about that. I did't understand your question. Now I understand.

Member Avatar for diafol

Maybe a stupid question but is the token in the form the same as the token in the cookie?
Also, on page refresh, is the form token different every time?
It works on W7 - but you already know that.

What web browser?

All that were tried: IE10 and Chrome.

Does the problem happen when submitting any DaniWeb form, including trying to search

I didn't try. Sadly, the hard drive that I bought to house Windows 8 died last night...

Does the problem happen on other CodeIgniter-based sites, such as http://codeigniter.com/forums/

I didn't try, but that will be in my troubleshooting steps when I get a new hard drive and get the system back on its feet.

Try to remove the underscore from the CSRF cookie name:

$config['csrf_cookie_name'] = 'csrfcookie';

From what I've read in the past, it seems that latests IE versions don't like it.

Member Avatar for diafol

Try to remove the underscore from the CSRF cookie name:

Missed that. I read that too. I was looking at the sessname cookie. +1

From what I've read in the past, it seems that latests IE versions don't like it.

I read that too on another forum, but supposedly it was tried to no success. What's weird is that there are people for which IE10 and Windows 8 work fine.

Another thing to try, that would explain why it works for one person and not another:

Try Internet Explorer Compatability mode both in IE10 mode and also in IE9 mode, and let me know if one works and the other doesn't.

Member Avatar for diafol

Add in W7/IE9 (64-bit) : success

Add in W7/IE9 Compat (64-bit) : success

Consistent csrf token throughout compatibility switching through v9 and v8 and switching user agent string.

Sorry don't have IE10/W8. And I don't want to download the preview version.

This ain't a DNT issue is it?

Just an update, I got a new hard drive and installed Windows 8 again but this time without the SmartScreen filter enabled by default. I'm now posting from that installation, so there's something about that filter that boogers up our sessions.

Still a high priority issue though, given that SmartScreen is enabled in the default custom settings and the express install settings.

So SmartScreen is something that can be enabled/disabled on the fly for Internet Explorer, right? Why would that be affecting Chrome??

Apparently it's built into the OS too, but IE10 has a version to check URLs. I'm guessing the OS level filter affects other browsers too, otherwise I'd agree that it shouldn't affect Chrome.

So can you try flipping the switch on the OS-level one, and see if both browsers stop working?

Upon doing some more research, it appears that IE8 includes the SmartScreen filter. It turns out I've always had it enabled. So either MS has done some extensive changes to SmartScreen or something else is going on here.

Member Avatar for Mark_k

The solution for me was this:

Edit application/config/user_agants.php and add 'windows nt 6.2' => 'Windows 8', to the $platforms array().

After that it should be safe to set $config['sess_match_useragent'] => true;

I've finally upgraded to Windows 8 and everything seems to be working for me without having made any changes. Odd??

Member Avatar for Mark_k

Yeah, scratch what I said earlier. Turns out that the problem I was having was due to the IE 9 and 10 VMs that Microsoft released for testing all version of IE http://osxdaily.com/2011/09/04/internet-explorer-for-mac-ie7-ie8-ie-9-free/

I'm still not exactly sure why it was happening, but I did a lot of testing on the cookies and I was able to find out that the cookies were expiring 3 hours ahead of schedule even though they were being set correctly. Even the expiration date that was displayed in IE's developer tools was correct.

Timezone and server time are all set correctly so, again, I'm still not sure what the issue is here, but it's definitely confined within the VMs. Works fine otherwise.

If anyone else has any insight about this I would love to know.

Cheers.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.