(Codeigniter) Ion Auth CSRF Error:This form post did not pass our security checks (when loading views)

Question

I'm using Ion Auth authentication library in Codeigniter. When I load my footer view, I get an CSRF Error(This form post did not pass our security checks). When I remove the footer view, it works fine though! Is there anything I'm doing wrong here? Thanks!

function edit_user($id) {

//I'm only posting the last part of the code of edit_user function in the auth controller

    $this->load->view('layout/header');
    $this->_render_page('auth/edit_user', $this->data);
    $this->load->view('layout/footer'); // I'm getting an error when I load this footer view.
} 

This is the code in my views.

<h1><?php echo lang('edit_user_heading');?></h1>
<p><?php echo lang('edit_user_subheading');?></p>

<div id="infoMessage"><?php echo $message;?></div>

<?php echo form_open(uri_string());?>

      <p>
            <?php echo lang('edit_user_fname_label', 'first_name');?> <br />
            <?php echo form_input($first_name);?>
      </p>

      <p>
            <?php echo lang('edit_user_lname_label', 'last_name');?> <br />
            <?php echo form_input($last_name);?>
      </p>

      <p>
            <?php echo lang('edit_user_company_label', 'company');?> <br />
            <?php echo form_input($company);?>
      </p>

      <p>
            <?php echo lang('edit_user_phone_label', 'phone');?> <br />
            <?php echo form_input($phone);?>
      </p>

      <p>
            <?php echo lang('edit_user_password_label', 'password');?> <br />
            <?php echo form_input($password);?>
      </p>

      <p>
            <?php echo lang('edit_user_password_confirm_label', 'password_confirm');?><br />
            <?php echo form_input($password_confirm);?>
      </p>

     <h3><?php echo lang('edit_user_groups_heading');?></h3>
    <?php foreach ($groups as $group):?>
    <label class="checkbox">
    <?php
        $gID=$group['id'];
        $checked = null;
        $item = null;
        foreach($currentGroups as $grp) {
            if ($gID == $grp->id) {
                $checked= ' checked="checked"';
            break;
            }
        }
    ?>
    <input type="checkbox" name="groups[]" value="<?php echo $group['id'];?>"<?php echo $checked;?>>
    <?php echo $group['name'];?>
    </label>
    <?php endforeach?>

      <?php echo form_hidden('id', $user->id);?>
      <?php echo form_hidden($csrf); ?>

      <p><?php echo form_submit('submit', lang('edit_user_submit_btn'));?></p>

<?php echo form_close();?>

Answer 1

Ion auth csrf protection is older. CI-2 already have

This is provide to security when posting form, ex: POST is from local or server?

ion auth controller file, you see like codes below:

// do we have a valid request?
if ($this->_valid_csrf_nonce() === FALSE)
{
   show_error($this->lang->line('error_csrf'));
}

If you remove these validation, you will not get csrf error

You can enable security with CI core lib

http://ellislab.com/codeigniter/user-guide/libraries/security.html

$config['csrf_protection'] = TRUE;

You have to use form_open() tag to triggger csrf protection.

Answer 2

Same problem happened to me when i was trying to add common/header and common/footer to the auth/reset_password page.

Issue was that I was using relative paths for the JS included in the footer part. After a lot of experiment using the base_url() fixed the issue.

Answer 3

I have the sale pb but a replace flashdata by userdata, it's just a little less secure but it's a good solution.