yes, in my backend/application/config/config.php :
Code:
$config['global_xss_filtering'] = FALSE;
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'dp_csrf_tk';
$config['csrf_cookie_name'] = 'dp_csrf_ck';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array();
I remade control with setting name/hash :
$data['csrf'] = array(
'name' => $this->security->get_csrf_token_name(),
'hash' => $this->security->get_csrf_hash()
);
$this->load->view( 'categories/edit', $data );
but seems that was not issue of problem.
In my form there is line like:
Code:
<input type="hidden" name="dp_csrf_tk" value="b0e299db72dba3d32fa60565ebe05662" />
This page is category editor with 2 fields name, description and listing of images. Without hidden input above
tring to submit this form I got error:
The action you have requested is not allowed.
But this csrf protection for the form with post method. I upload /show / delete images with methods I mentioned above.
So in source I see 2 similar methods, one of working ok, the second raise error 403 (Forbidden) :
VALID REQUEST:
Code:
var post_data = {
'dp_csrf_tk' : 'aeebc203bca894d36aad8d41e04f43de'
};
alert( "loadCategoryImages LISTING post_data::"+var_dump(post_data) )
jQuery.ajax({
url: "http://local-displo-wp.com/backend/en/categories/load_category_images?category_id="+category_id+"&category_name="+encodeURIComponent(category_name),
type: 'POST',
data: post_data,
dataType: 'json',
success: function(result) {
...
}
});
INVALID REQUEST with error 403 (Forbidden) :
Code:
var post_data = {
'dp_csrf_tk' : 'aeebc203bca894d36aad8d41e04f43de'
};
alert( "deleteCategoryImage post_data::"+var_dump(post_data) )
jQuery.ajax({
url: "http://local-displo-wp.com/backend/en/categories/delete_category_image?category_id=" + encodeURIComponent(category_id) + '&image_name='+encodeURIComponent(image_name),
type: 'POST',
data: post_data,
dataType: 'json',
success: function(result) {
...
}
});
I do not see the difference...
and putting in config the url from the second wrong request :
PHP Code:
$config['csrf_exclude_uris'] = array('categories/delete_category_image');
I have the same error 403 (Forbidden)