Jump to content

The CSRF protection key did not match in my own app on 4.5

Recommended Posts

After updating core to 4.5 my own custom app has problems.
In ACP, in my ACPs app modules, when i put some &request to URL there appears an CSRF error. 
For example:

  • admin/?app=something&module=main&controller=something - works good
  • admin/?app=something&module=main&controller=something&request=1 - appears CSRF error

It appears only to my own app which im now creating and after updating IPS to 4.5. Before IPS update it was working like a charm..

I have tried:

  • Rebuilding an app
  • Clearing cache
  • Creating new theme / using default theme
  • Restarted php/nginx
  • Tried to find errors in my app
  • Tried to update today IPS to 4.5.1 and problem still exists.


I have seen in IPS 4.5 there is no &addsess in ACP URIs but probably that's not a reason

Edited by Mac1
Link to comment
Share on other sites

5 minutes ago, Adriano Faria said:

You have to add this to your Admin CP controllers:

public static $csrfProtected = TRUE;

That’s because they removed the session ID from ACP URLs.

Thank you very much!

Link to comment
Share on other sites

By the way, that’s not all. You’ll have to add the CSRF checking in all your links for the same matter, otherwise anyone that knows URLs from your ACP controllers will be able to “execute” them. So in your links and buttons, add:

\IPS\Http\Url::internal( "app... ...&do=something”)->csrf();

Then on something(), you start with:


confirmedDelete() should be used you try to delete something and used the data-confirm in links or 

'data' => array( 'delete' => '' )

in buttons .

Take a look in any official app ACP controllers. 

Edited by Adriano Faria
Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...