CSRF in the config.php file
How Do I?
I’m having a problem with a Freeform form giving me a “form expired” error. I did a google search and found some things about turning of CSRF protection in the config.php file. They say to add “$config[‘disable_csrf_protection’] = “y”;”, but I noticed “$config[‘csrf_protection’] = FALSE;” is already there. Is that the same thing? I imagine it might have been updated in a newer versio nof EE. The site is using EE v2.9.3. Thanks!
You don’t want to disable CSRF, especially on a form that is gathering data for later display. Is the page being cached by a proxy or something that would be serving you a stale form?
You don’t want to disable CSRF, especially on a form that is gathering data for later display. Is the page being cached by a proxy or something that would be serving you a stale form?
Thanks Derek, I don’t remember deactivating it using “config[‘csrf_protection’] = FALSE;”, is that the same thing as “$config[‘disable_csrf_protection’] = “y”;”? Should it be set to TRUE?
That’s not the same, no, and in fact only one of those is an actual override variable. Did you figure out why you are getting that error? Perhaps Solspace could assist.
That’s not the same, no, and in fact only one of those is an [actual override variable](https://ellislab.com/expressionengine/user-guide/general/system_configuration_overrides.html#disable-csrf-protection). Did you figure out why you are getting that error? Perhaps Solspace could assist.
ok thanks, still not sure, it’s kind of random so it’s hard to diagnose. I will do more testing though.
Is this collecting data from a guest or a logged in member?
Is this collecting data from a guest or a logged in member?
Today the client got bit by this form expired stuff…guests are using the form, not logged in members.
Gotcha. So for visitors, CSRF is cookie-bound and expires in 2 hours, so if they leave a page open for longer than 2 hours, they will get that error. Does that sound like the behavior your seeing?
Gotcha. So for visitors, CSRF is cookie-bound and expires in 2 hours, so if they leave a page open for longer than 2 hours, they will get that error. Does that sound like the behavior your seeing?
Derek, it could be, I ran into the same problem during development randomly, so it might have happened when I had the page open for a while. Is there any way around this?
This morning I loaded up the form, and got the same error even though the page hasn’t been open and I haven’t used my computer for hours. But it worked ok after a refresh of the page.
Any chance you’re using varnish? You could also disable CSRF for the form only. Backup your database. Locate the FreeForm action in exp_actions and:
UPDATE exp_actions SET csrf_exempt = 1 WHERE action_id = x;