Reputation: 10548
Implementing CSRF into OpenID iframe
I've implemented Janrain Open ID on my Codeigniter 2.0 website. It was working great until I enabled CSRF protection in my codeigniter config file.
I read up on it and it seems that in all my forms on my website I should include a hidden form element containing a token, which is then verified against a cookie token after the post is read from the receiving page.
This is all fine and dandy, but where I'm a bit stuck is when I try to log into my site now using OpenID (of which the login form comes from an iframe that is hosted on janrain.com) I cannot include any sort of hidden post values because I have no control over what the form looks like, and can only supply a return url so that janrain knows what page to return me to.
How can I get my CSRF token to submit with the form if the form is in an iframe which I don't control?
Upvotes: 3
Views: 1322
Answers (3)
Reputation: 10548
Got it solved.
I ended up sending the iframe my return URL of which I included the CSRF token as part of the URL. When Janrain returns to my return URL, as Codeigniter goes through the security check inside Security::csrf_verify() I do a little check against the URL to see if my tokens match (unfortunately I wasn't able to use CI libraries for some reason so I ended up parsing the URL myself using explode('/', $_SERVER['REQUEST_URI'])). If I find a match in the URL to my csrf cookie token then we're all good and I don't check against the POST variables which Codeigniter would normally be doing.
Upvotes: 0
Reputation: 854
You can also just add this to the end of your token URL:
?ci_csrf_token='.$this->security->get_csrf_hash()
So let's say you were using an embeded iframe for Janrain, the complete code would end up looking like this with:
<iframe src="https://MYACCOUNT.rpxnow.com/openid/embed?token_url=<?PHP echo rawurlencode($token_url).'?ci_csrf_token='.$this->security->get_csrf_hash(); ?>" scrolling="no" frameborder="0" seamless="seamless" style="width:400px; height:240px;"></iframe>
I have this working great on my codeigniter, and you do not need to disable your CSRF security :)
Upvotes: 1
Reputation: 1580
I also was searching solution how to turn off CSRF per controller. I did it that way:
if(stripos($_SERVER["REQUEST_URI"],'/controller') === FALSE)
{
$config['csrf_protection'] = TRUE;
}
else
{
$config['csrf_protection'] = FALSE;
}
in config.php I don't know if it's reliable,but it works for me.
Upvotes: 0
Related Questions
- Laravel 5.1 CSRF in iframe, how to make it work?
- Django: CSRF Cookie not set in iframe -- workaround without csrf exempt
- CSRF and iframes
- How to implement an XSRF attack via auto-submitting form in iframe?
- How to use valid token in iframe from current web application?
- ASP.Net core antiforgery denying form submission from Iframe
- Iframe causes Can't Verify CSRF Token Authenticity n Rails
- passing CSRF credentials as url parameters?
- CSRF token authencity for sub controller
- How to prevent CSRF/XSRF attacks involving embedded iframes?