我正在使用CSR的CSRFProtector库(https://github.com/mebjas/CSRF-Protector-PHP),一旦我打开它所有表单停止提交,我收到一个错误:
403 Access Forbidden by CSRFProtector!
我的配置文件包含:
return array(
"CSRFP_TOKEN" => "ctkn",
"logDirectory" => "log",
"failedAuthAction" => array(
"GET" => 0,
"POST" => 0),
"errorRedirectionPage" => "",
"customErrorMessage" => "",
"jsPath" => "js/csrfprotector.js",
"jsUrl" => "ABS PATH TO js/csrfprotector.js",
"tokenLength" => 10,
"disabledJavascriptMessage" => "",
"verifyGetFor" => array()
);
并且CSRF的日志文件显示:
{"timestamp":1433842328,"HOST":"MYDOMAIN.COM","REQUEST_URI":"\/add","requestType":"POST",
"query":{"title":"234","date":"08\/06\/2015","submit":""},
"cookie":{"ctkn":"3c8c7dfebc","__insp_uid":"1173752613",
"PHPSESSID":"SESSION_ID","_ok":"3274-991-10-2674","__utma":"98457856.2008088440.1420840286.1431630284.1432025914.10",
"__utmc":"98457856","__utmz":"98457856.1429793890.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)","__insp_wid":"801086210",
"__insp_nv":"false","__insp_ref":"aHR0cHM6Ly93d3cubmF0dXJhbGhyLm5ldC9sb2dpbg==",
"__insp_identity":"33101","__insp_norec_sess":"true","__insp_slim":"1433237660812",
"mp_3a3715a3d0ca553aea5e93832d489346_mixpanel":"{\"distinct_id\": \"14adaecc111146-0576c4449-63161675-232800-14adaecc1122e6\",
\"$initial_referrer\": \"$direct\",\"$initial_referring_domain\": \"$direct\"}",
"_okbk":"cd5=available,cd4=true,vi5=0,vi4=1433789710017,vi3=active,vi2=false,vi1=false,
cd8=chat,cd6=0,cd3=false,cd2=0,cd1=0,","_gat":"1","_ga":"GA1.2.2008088440.1420840286",
"_oklv":"1433842325615,1q2TBnOvCYwsP8Vp452Bb0OMFOHE0QN6","olfsk":"olfsk31493824627250433",
"_okac":"96642aff6954f6ce73ba12dfbb632117","_okla":"1","wcsid":"1q2TBnOvCYwsP8Vp452Bb0OMFOHE0QN6",
"hblid":"BpAXj2n915tZ7ULn452Bb0OMFPI1k134"}}
谁能告诉我为什么会失败?我需要做些什么来允许这个真实的请求,但仍然停止任何非法的请求?
对我来说,问题是我在提交论坛之前使用了bootstrap确认模式进行确认。当我检查$ _POST对象时,我发现它不包含csrf_token。
您可能遇到同样的问题。
你在配置文件中更改了CSRFP_TOKEN,所以你也需要更改js文件..即CSRFP_TOKEN:'ctkn'