Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter Best Practices AJAX and CSRF in CI 4.0.4
AJAX and CSRF in CI 4.0.4
#3
12-19-2020, 02:31 PM

(12-19-2020, 10:43 AM)chirinolopez71 Wrote: My apologies, the problem was that I had the Config/Filter.php file incorrectly configured, it had a double check indicated. Just put something like this:
public $ methods = ['post' => ['csrf']];
Everything else was fine.

--

Hello everyone.
I am new here, but I have already searched and read various things and I cannot find the real and effective solution to my problem.
I have the classic CSRF and AJAX problem, in CodeIgniter 4.0.4. I´m using JQuery 3.5.1 too.


My myFunction() function is automatically executed when the page loads, with JQuery's $ (document) .ready (function () {...})
and it is defined in a .js file, as follows:

var myFunction = function() {
  function onMyFunctionReceived(jsonAnswer) {
     //bla, bla bla
  }
  function onMyFunctionError() {
    //bla, bla bla
  }
  $.ajax({
    url: url,
    data: {[csrfName]: csrfValue, data1: "value1", data2: "value2"},
    type: "POST",
    dataType: "json",
    headers: {[varHdrName]: varValue},
    success: onMyFunctionReceived,
    error: onMyFunctionError
  });
};


The name of the variable where CSRF should be sent and its value are already stored in the global variables, called csrfName and csrfValue respectively.
When the function is run, it fails, returning the classic error: "The action you requested is not allowed."
However, I am correctly passing the variable with the value of the CSRF.


Adding to the LOG file the names and value of the CSRF variables, the COOKIES, POST, BODY, in the file system/Security/Security.php file, we can see that the CSRF is evaluated twice and the first time it is evaluated, it is eliminated from the POST and the COOKIES in the value of the CSRF and therefore when doing the second evaluation, it fails because it does not find the COOKIE with the value of the CSRF
   *** LOG ***
INFO - 2020-12-19 12:26:10 --> CSRF cookie sent
INFO - 2020-12-19 12:26:10 --> Session: Class initialized using 'CodeIgniter\Session\Handlers\FileHandler' driver.
INFO - 2020-12-19 12:26:10 --> CSRF cookie sent
INFO - 2020-12-19 12:26:10 --> Session: Class initialized using 'CodeIgniter\Session\Handlers\FileHandler' driver.
ERROR - 2020-12-19 12:26:10 -->
-- NEW LOGS ADDED --
CSRFTokenName=t-csrf
CSRFHeaderName=X-CSRF
CSRFCookieName=c-csrf
X-CSRF=f3c1a1fa145e0a4fb5fbc2aaf17a6870
CSRFTokenValue=f3c1a1fa145e0a4fb5fbc2aaf17a6870
Cookies:
array (
  '__utma' => '111872281.366969516.1588867189.1588867189.1588867189.1',
  '_ga' => 'GA1.1.366969516.1588867189',
  '_gcl_au' => '1.1.1182337209.1601045778',
  '_ga_R5V3Y98M6D' => 'GS1.1.1601045778.1.0.1601045778.0',
  '_hjid' => 'dc013f72-0840-401c-9850-b5a19a1e0467',
  '_fbp' => 'fb.0.1601045787964.1964750528',
  'debug-bar-tab' => 'ci-events',
  'c-csrf' => 'f3c1a1fa145e0a4fb5fbc2aaf17a6870',
  'ci_session' => 'qqtk23outqekabjoidjlgkkll7ft9v4v',
  'debug-bar-state' => 'open',
)
BODY:
t-csrf=f3c1a1fa145e0a4fb5fbc2aaf17a6870&data1=value1&data2=value2

POST:
array (
  't-csrf' => 'f3c1a1fa145e0a4fb5fbc2aaf17a6870',
  'data1' => 'value1',
  'data2' => 'value2',
)
-- END of NEW LOGS ADDED --

INFO - 2020-12-19 12:26:10 --> CSRF cookie sent
INFO - 2020-12-19 12:26:10 --> CSRF token verified
ERROR - 2020-12-19 12:26:10 -->
-- NEW LOGS ADDED --
CSRFTokenName=t-csrf
CSRFHeaderName=X-CSRF
CSRFCookieName=c-csrf
X-CSRF=f3c1a1fa145e0a4fb5fbc2aaf17a6870
CSRFTokenValue=f3c1a1fa145e0a4fb5fbc2aaf17a6870
Cookies:
array (
  '__utma' => '111872281.366969516.1588867189.1588867189.1588867189.1',
  '_ga' => 'GA1.1.366969516.1588867189',
  '_gcl_au' => '1.1.1182337209.1601045778',
  '_ga_R5V3Y98M6D' => 'GS1.1.1601045778.1.0.1601045778.0',
  '_hjid' => 'dc013f72-0840-401c-9850-b5a19a1e0467',
  '_fbp' => 'fb.0.1601045787964.1964750528',
  'debug-bar-tab' => 'ci-events',
  'ci_session' => 'qqtk23outqekabjoidjlgkkll7ft9v4v',
  'debug-bar-state' => 'open',
)
BODY:
t-csrf=f3c1a1fa145e0a4fb5fbc2aaf17a6870&data1=value1&data2=value2

POST:
array (
  'data1' => 'value1',
  'data2' => 'value2',
)
-- END of NEW LOGS ADDED --

CRITICAL - 2020-12-19 12:26:10 --> The action you requested is not allowed.
#0 \myPath\\syst\Security\Security.php(235): CodeIgniter\Security\Exceptions\SecurityException::forDisallowedAction()
#1 \myPath\\syst\Filters\CSRF.php(88): CodeIgniter\Security\Security->CSRFVerify(Object(CodeIgniter\HTTP\IncomingRequest))
#2 \myPath\\syst\Filters\Filters.php(173): CodeIgniter\Filters\CSRF->before(Object(CodeIgniter\HTTP\IncomingRequest), NULL)
#3 \myPath\\syst\CodeIgniter.php(382): CodeIgniter\Filters\Filters->run('url...', 'before')
#4 \myPath\\syst\CodeIgniter.php(312): CodeIgniter\CodeIgniter->handleRequest(NULL, Object(Config\Cache), false)
#5 \myPath\\public\index.php(45): CodeIgniter\CodeIgniter->run()
#6 {main}

   *** END of LOG ***

Please can you help me with this?
Reply


Messages In This Thread
AJAX and CSRF in CI 4.0.4 - by chirinolopez71 - 12-19-2020, 10:43 AM
RE: AJAX and CSRF in CI 4.0.4 - by InsiteFX - 12-19-2020, 01:31 PM
RE: AJAX and CSRF in CI 4.0.4 - by chirinolopez71 - 12-19-2020, 02:31 PM
RE: AJAX and CSRF in CI 4.0.4 - by brabus - 12-20-2020, 08:27 AM
RE: AJAX and CSRF in CI 4.0.4 - by JrengGo - 03-02-2022, 09:34 PM



Theme © iAndrew 2016 - Forum software by © MyBB