简体繁体 English

为Codeiginter页面创建Facebook Canvas应用时的CSRF设置问题

[英]CSRF Setting issues when creating Facebook Canvas App for a Codeiginter Page

原文 2013-09-04 07:43:16 7 1 php/ facebook/ codeigniter/ facebook-apps/ csrf

I've a codeigniter app, which works fine. 我有一个Codeigniter应用程序，可以正常工作。 I created a facebook canvas app, and tried loading a page generated by the codeigniter. 我创建了一个Facebook canvas应用，并尝试加载由codeigniter生成的页面。 It didn't work. 没用 And I got to see dreaded - "The action you have requested is not allowed". 我看到的是可怕的-“不允许您要求的操作”。 Just so to ensure my facebook app settings are right, I tried with a page from another site, and it worked. 为了确保我的facebook应用程序设置正确，我尝试了另一个站点的页面，并且该页面正常工作。

So started search for possible problems, I could figure out that it was because of CSRF protection=TRUE in cornfig settings. 因此开始搜索可能的问题，我发现这是因为cornfig设置中的CSRF protection = TRUE。 So I simply turned off CSRF protection to see, if would work. 因此，我只是关闭了CSRF保护，以查看是否可行。 Then, it worked and I could actually load codeigniter generated pages through Facebook Canvas App (Sandbox mode, though..) 然后，它起作用了，我实际上可以通过Facebook Canvas App加载codeigniter生成的页面（不过是沙盒模式。）

Some suggested if we hard code hidden field for csrf token, (instead of depending on form_open() function) we could avoid this rule, and by that logic, if we had a page, which has no form at all, should work fine. 有人建议，如果我们对csrf令牌的隐藏字段进行硬编码（而不是依赖于form_open（）函数），则可以避免使用此规则，并且按照这种逻辑，如果我们有一个完全没有形式的页面，则应该可以正常工作。 And I couldn't not load even pages that don't have a form. 而且我什至无法加载没有表单的页面。

And I'm not using AJAX anywhere. 而且我不在任何地方使用AJAX。

I'm using CI 2.1.3. 我正在使用CI 2.1.3。

One related link - http://ellislab.com/forums/viewthread/228160/#1038448 Though there are many similar questions on Stackoverflow and other forums, I couldn't find satisfactory answer. 一个相关链接-http://ellislab.com/forums/viewthread/228160/#1038448尽管Stackoverflow和其他论坛上有很多类似的问题，但我找不到令人满意的答案。

If I just see apache logs, I really don't feel turning off CSRF protection would be a good idea. 如果仅看到Apache日志，我真的不觉得关闭CSRF保护是个好主意。

So How do I make codeignter generated pages appear in facebook canvas app, without turning off CSRF protection? 那么，如何在不关闭CSRF保护的情况下使Codeignter生成的页面出现在facebook canvas应用中？

Any pointers will be useful. 任何指针都是有用的。 Thanks for you time. 谢谢您的时间。

1 个解决方案

The root cause of this problem is how Facebook call the app page iframe. 此问题的根本原因是Facebook如何调用应用程序页面iframe。 Facebook send a post by default a parameter (signed_request) in $_POST array. Facebook默认在$ _POST数组中向帖子发送一个参数（signed_request）。 But when Codeigniter checks for CSRF protection then no csrf token is found in post array. 但是，当Codeigniter检查CSRF保护时，则在后数组中找不到csrf令牌。

So apparently there is no straight forward solution for this. 因此，显然没有针对此的直接解决方案。 We can change the conditions in csrf_verify function in system\\core\\Security.php so that do not verify when there is value of $_POST['signed_request'], but I know that is not a good idea. 我们可以在system\\core\\Security.php中的csrf_verify函数中更改条件，以便不验证何时有$ _POST ['signed_request']值，但是我知道这不是一个好主意。