Member Avatar for Dani

So I just discovered a crazy bug that has been keeping visitors of the Opera web browser from using DaniWeb.

Apparently there's a problem with CodeIgniter's CSRF protection that makes it not work with Opera, and I'm unsure of why. It works perfectly fine with IE, Firefox, Chrome, etc.

I am using form_open() to create my forms, so it is creating the csrf hidden input tag automatically.

I have the following configuration settings set in /application/config/config.php:

$config['sess_encrypt_cookie']  = TRUE;
$config['sess_use_database']    = FALSE;
$config['sess_match_ip']        = FALSE;
$config['sess_match_useragent'] = FALSE;

Can anyone help?

  • 2 Contributors
  • 9 Replies
  • 309 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by diafol
Member Avatar for Dani

Further reading suggests that this bug is related to a cookie domain not being the same as what's typed into the browser (for example, if the cookie domain is set to 127.0.0.1 and you try to access localhost).

So additional information:

$config['cookie_prefix']    = "";
$config['cookie_domain']    = "www.daniweb.com";
$config['cookie_path']      = "/";
$config['cookie_secure']    = FALSE;
Member Avatar for diafol

Ah! The joys of CI! :)

Told you it was cheap! That's a new one on me though - thanks for sharing. Useful to know, although I've stopped using CI for the mo. I assume that was true for Opera Mini and the other mobile versions too? Ouch.

BTW, I was trying to use TamperMonkey to turn off the editor WYSIWYG, but the darned csrf of yours thwarted every effort. Bah! It has its uses then. :)

Edited by diafol
Member Avatar for Dani

What on earth does the editor have to do with CSRF?? You mean the editor toolbar or the live preview? For the editor toolbar buttons, you just need the CSS:

div.editor-container div.wysiwyg { display: none; }

Disabling the live preview is going to be more complicated because you can set its display to none on page load, but the display property gets overwritten each time that you click into the editor. This is completely untested, but try setting its height to 1px. The height property never gets dynamically overwritten, so even if fancy Javascript is being used to show/hide it, it will remain just a single pixel in height.

Still completely unrelated to CSRF though.

Member Avatar for diafol

I've already disabled the Live Preview (via Stylish). For the wysiwyg, I was using the id hook on the form and as it was constantly changing (obviously), so I gave up. Now you've mentioned the CSS solution, doh! :( Thanks for the tip Dani. No offence for all the hard work you've put into the UX/UI - just not my thing.

Anyway, enough of my nonsense - is the only fix for Opera to delete cookies?

//EDIT
Tried the fix, it deletes the toolbar but not the live wysiwyg. Will have a further look.

Edited by diafol
Member Avatar for Dani

Right, the fix does remove the editor toolbar. And you said you already disabled the live preview. What else are you referring to??

Member Avatar for diafol

The live styling in the editor itself. But hey no problem. I seem to have sent this thread off-piste. Apologies.

Edited by diafol
Member Avatar for Dani

Start a new thread and I'll help ya.

Member Avatar for diafol

Honestly Dani - I love you. I'm not worthy :). I'll start a nod thread.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.