Embedding CSRF in an OpenID iframe

Question

Embedding CSRF in an OpenID iframe

I have implemented the OpenJain ID on my Codeigniter 2.0 website. It worked fine until I turned on CSRF protection in my codeigniter configuration file.

I read about this, and it seems that in all my forms on my website I should include a hidden form element containing a token, which is then checked against the cookie token after the message has been read from the receiving page.

This is all fine and dandy, but where I got a little stuck when I try to login to my site using OpenID (the login form from the iframe hosted on janrain.com). I cannot include any hidden message values because I cannot control how the form looks and can only provide a return URL so janrain knows which page they are returning me to.

How can I get the CSRF token to submit with the form if the form is in an iframe that I do not control?

+3

post iframe csrf openid token

justinl Jan 7 '11 at 6:10

source share

3 answers

URL:

?ci_csrf_token='.$this->security->get_csrf_hash()

, , iframe Janrain, :

<iframe src="https://MYACCOUNT.rpxnow.com/openid/embed?token_url=<?PHP echo rawurlencode($token_url).'?ci_csrf_token='.$this->security->get_csrf_hash(); ?>" scrolling="no" frameborder="0" seamless="seamless" style="width:400px; height:240px;"></iframe>

, CSRF:)

+1

Manifest Interactive 29 . '11 5:40

, CSRF . :

if(stripos($_SERVER["REQUEST_URI"],'/controller') === FALSE)
{
    $config['csrf_protection'] = TRUE;
}
else
{
    $config['csrf_protection'] = FALSE;
}

in config.php I don't know if it is reliable, but it works for me.

0

Cappy Mar 09 '11 at 14:18

source share

justinl · Accepted Answer · 2011-01-07T19:45:23+0000

. , iframe URL- , CSRF URL-. Janrain URL- , Codeigniter Security:: csrf_verify() URL-, , ( , CI - URL-, explode ('/', $_SERVER [REQUEST_URI])). URL- csrf cookie, , POST, Codeigniter.

Embedding CSRF in an OpenID iframe

More articles: