Action you have requested is not allowed error

Question

I made a module named Gallery which works fine on my localhost with version 2.0.3, but when using version 2.1.0 on a remote site I can not submit a form and I get the error:

Answer 1

I have found using the form helper functions

Example

<?php echo form_open('controller/function');?>

<?php echo form_input('username', 'Username');?>

<?php echo form_close();?>

Using the helper functions like above should stop the CSRF error message showing.

If I don't use echo form_input() if I place just normal input will trigger the CSRF error when reload.

<?php echo form_open('controller/function');?>

<input type="text" name="username" />

<?php echo form_close();?>

So I recommend using all form helper functions now.

Answer 2

It is an old question but this same problem did cost me so much time that I wanted to share what the problem was in my case. It may help someone.

I am using Codeigniter 3.0.6 and CommunityAuth 3 together with it and I was getting this error after a login.

It was confusing since the problem would sometimes happen and would not other times.

My 'base_url' in CI's config.php was set to something like 'www.mysite.com'

When you browse the site with 'mysite.com' (notice 'www' is not in the address) and you do a form submission that uses CI's 'base_url' setting, like CommunityAuth's login does, then CSRF check fails and you get 'The action you have requested is not allowed.' error.

Answer 3

It is a Codeigniter error related to the CSRF protection. You can cancel it in cms/config/config.php

Answer 4

I agree with @Jhourlad Estrella on fixing the problems instead of disabling a security feature, however I feel that the real problem is with the hidden input field that holds the token.

Instead of using plain HTML to create a form element use the the form_open() and form_close() helper functions. The reason why is because when you use the helper function it automatically inserts the csrf token as a hidden field in the form.

You could do this manually as well by adding the token as a hidden input field in the form

<input type="hidden" name="csrf_hash_name" value="your-hash-value-here">

Doing it this way will allow you to stay protected from CSRF attacks and fix the problem you are having.

Hope this helps someone else out there as this was driving me nuts the first time figuring this out.

Answer 5

I have a form that was built outside of CI (in Joomla), but that I wanted to process with CI. My fix was to selectively disable csrf for specific referrers. I added this to config, directly after the default config options for csrf:

/* Set csrf off for specific referrers */
$csrf_off = array(
    "http://yourdomain.com/your-form-url",
    "http://yourdomain.com/some-other-url"
);

if (isset($_SERVER["HTTP_REFERER"])) {
    if (in_array($_SERVER["HTTP_REFERER"],$csrf_off)) {
        $config['csrf_protection'] = false;
    }
}

This disables csrf protection for specific URLs in the $csrf_off array, but leaves it intact for all other requests.

Answer 6

This error is thrown by the function csrf_show_error() in system/core/Security.php when the CSRF token in $_COOKIE doesn't match your $_POST['csrf_token_name'].

Inside config.php, I had to ensure that $config['cookie_domain'] matched $config['base_url'], without the protocol (i.e. http(s)://).

Otherwise, the cookie wasn't being passed which meant the match couldn't be made.