Hi,
I have a system working, and I have narrowed it down to the CSRF in CI.
Currently using 3.1.9, so latest v3.
My config.php looks like this in the CSRF section:
PHP Code:
$config['csrf_protection'] = True;
$config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array('aaa/bbb');
With csrf_protection set to false, the Ajax and controller work fine. The email at the end of my form sends and the return codes are all correct..
If however, I set csrf_protection to true, things fall apart rather quickly. The issue is not that the csrf is failing to validate, that passes fine. I am sending the CSRF tokens and name correctly, so that is fine. The logs back me up on this.
The issue, is when the CSRF protection in play, the Ajax call is run through the whole system twice. From the longs, it looks like the Ajax call is made twice, however the second time, the data payload (JSON) is missing.
This has the effect of failing the call. As far as I can tell, there is only one call on the web server (according to the Apache log).
I don't know why it would be called twice, there is no Route, it is a standard controller with nothing special.
My current work around is to exclude the URL in the csrf_exclude_uris array. But obviously as this is part of a contact from, I would rather have the protection in place.
I know the code is good, because even while the Ajax return is a failure from the controller, the email that needs to be send, it actually sent, so the contact works, but the feedback is wrong, because the browser is told there is no data in the request. First time it sends the email, second without data, it fails.
If anyone has any idea, where the second call is initiated, I would be grateful.
I can post code, if necessary, but I am not sure that will help.
Thanks for your time and help.
