csrf, ajax and form |
Hi people, as I wrote in the thread subject I'm here to ask something about the csrf_regenerate.
The first question is: is the csrf_regenerate needed? In my website I set csrf_regenerate = TRUE and in each view I inserted an hidden input and, when the ajax is completed, I refresh the value of this input with the php response. But there is a problem. Instead if I have two tabs of browser opened on the same page and I do an ajax request, on the page that I see all will work fine, but if I switch to the other tab I get the 403 error on each ajax request. So I don't know how to fix that, and for that I was thinking: the csrf_regenerate is really important?
Google Search is your friend.
You can try this, it uses the jQuery Cookie Plugin was written for CodeIgniter 2.x but should still work with the 3.x versions. You will need to download the jQuery Plugin. Here is the article and code. CodeIgniter CSRF Protection With Ajax What did you Try? What did you Get? What did you Expect?
Joined CodeIgniter Community 2009. ( Skype: insitfx )
(08-05-2017, 05:29 AM)InsiteFX Wrote: Google Search is your friend. uh, it solves me the problem. I haven't found this page when I searched on google.. However, why the csrf_regenerate is so important?
To stop a hack from using it if they get their hands on it.
Ya that was from the old days in CodeIgniter, we had some great minds in here but most of them left when they started looking for a new home for CodeIgniter. What did you Try? What did you Get? What did you Expect?
Joined CodeIgniter Community 2009. ( Skype: insitfx )
(08-05-2017, 06:16 AM)theedo Wrote:(08-05-2017, 05:29 AM)InsiteFX Wrote: Google Search is your friend. Once you post data either by traditional post or within an AJAX call the csrf is outdated and must be regenerated from the server. Otherwise it is useless because it is open to forgery. The CI server will not accept the same token twice. This is managed automatically when you use CodeIgniter form helpers and you are regenerating your page and form from CI. But with ajax you have to do it manually. In your ajax controller you need to regenerate and pass back a new token: Code: $ajax_data['csrf_hash'] = $this->security->get_csrf_hash(); You will need a way to store the token name and hash value that is sent from the ajax controller. The following view code creates a hidden field to store the name and hash. Code: <input type="hidden" name=<?php echo json_encode($this->security->get_csrf_token_name()); ?> value=<?php echo json_encode($this->security->get_csrf_hash()); ?> Note: If your page also contains a non-ajax CI form it will automatically create the hidden field with this csrf token name. Everytime you do an ajax post you will need to update this hidden field |
Welcome Guest, Not a member yet? Register Sign In |