我有这个剩余的密码,该密码是从原始密码复制来的
public function _get_csrf_nonce()
{
$this->load->helper('string');
$key = random_string('alnum', 8);
$value = random_string('alnum', 20);
$this->session->set_flashdata('csrfkey', $key);
$this->session->set_flashdata('csrfvalue', $value);
return [$key => $value];
}
public function _valid_csrf_nonce(){
$csrfkey = $this->input->post($this->session->flashdata('csrfkey'));
if ($csrfkey && $csrfkey === $this->session->flashdata('csrfvalue'))
{
return TRUE;
}
return FALSE;
}
public function reset_password($code = NULL)
{
$this->lang->load('auth');
if (!$code)
{
show_404();
}
$this->data['title'] = $this->lang->line('reset_password_heading');
$user = $this->ion_auth->forgotten_password_check($code);
if ($user)
{
$this->form_validation->set_rules('new', $this->lang->line('reset_password_validation_new_password_label'), 'required|min_length[' . $this->config->item('min_password_length', 'ion_auth') . ']|matches[new_confirm]');
$this->form_validation->set_rules('new_confirm', $this->lang->line('reset_password_validation_new_password_confirm_label'), 'required');
if ($this->form_validation->run() === FALSE)
{
$this->data['message'] = (validation_errors()) ? validation_errors() : $this->session->flashdata('message');
$this->data['min_password_length'] = $this->config->item('min_password_length', 'ion_auth');
$this->data['new_password'] = [
'name' => 'new',
'id' => 'new',
'type' => 'password',
'class' => "form-control",
'pattern' => '^.{' . $this->data['min_password_length'] . '}.*$',
];
$this->data['new_password_confirm'] = [
'name' => 'new_confirm',
'id' => 'new_confirm',
'type' => 'password',
'class' => "form-control",
'pattern' => '^.{' . $this->data['min_password_length'] . '}.*$',
];
$this->data['user_id'] = [
'name' => 'user_id',
'id' => 'user_id',
'type' => 'hidden',
'value' => $user->id,
];
$this->data['csrf'] = $this->_get_csrf_nonce();
$this->data['code'] = $code;
$this->load->view('reset_password', $this->data);
}
else
{
$identity = $user->{$this->config->item('identity', 'ion_auth')};
if ($this->_valid_csrf_nonce() === FALSE || $user->id != $this->input->post('user_id'))
{
echo $this->session->flashdata('csrfkey').' - '.$this->session->flashdata('csrfvalue');
// something fishy might be up
//$this->ion_auth->clear_forgotten_password_code($identity);
//show_error($this->lang->line('error_csrf'));
}
else
{
// finally change the password
$change = $this->ion_auth->reset_password($identity, $this->input->post('new'));
if ($change)
{
// if the password was successfully changed
$this->session->set_flashdata('message', $this->ion_auth->messages());
redirect("home/login", 'refresh');
}
else
{
$this->session->set_flashdata('message', $this->ion_auth->errors());
redirect('home/reset_password/' . $code, 'refresh');
}
}
}
}
else
{
// if the code is invalid then send them back to the forgot password page
$this->session->set_flashdata('message', $this->ion_auth->errors());
redirect("home/forgot_password", 'refresh');
}
}
与原始身份验证视图相同的视图:
<?php echo form_open('home/reset_password/'.$code); ?>
<?php echo form_input($user_id);?>
<?php echo form_hidden($csrf); ?>
<div class="body bg-gray">
<div class="form-group">
<label for="password">* Password</label>
<?=form_input($new_password)?>
</div>
<div class="form-group">
<label for="password">* Confirm Password</label>
<?=form_input($new_password_confirm)?>
</div>
</div>
<div class="footer">
<button type="submit" class="login_btn">Change</button>
</div>
<?=form_close()?>
但是我总是会收到安全检查错误,当我打印csrf的会话时,尽管它以表单的形式存在并且不为空,但是在发送发布请求后我发现它为空。类似的代码可以与其他形式配合使用,并且可以通过安全检查,但是仍然存在问题。