Login

kelapamuda · 03-10-2019, 08:37 AM

Hello,
I already have a website running well, but in order to make it securer , I do this :

In config php, it comes $config['csrf_protection'] = FALSE;
I change to = TRUE , but that error happen

DataTables warning: table id=mytable - Ajax error. For more information about this error, please see http://datatables.net/tn/7

Is there something i must do when changing from false to true?

dave friend · 03-10-2019, 09:01 AM

(03-10-2019, 08:37 AM)kelapamuda Wrote: Hello,
I already have a website running well, but in order to make it securer , I do this :

In config php, it comes $config['csrf_protection'] = FALSE;
I change to = TRUE , but that error happen

DataTables warning: table id=mytable - Ajax error. For more information about this error, please see http://datatables.net/tn/7

Is there something i must do when changing from false to true?

It might be that you are not posting the CSRF name and token when making the ajax call. Without that name/value pair the error you're getting will occur if you are using $config['csrf_protection'] = TRUE.

If you are POSTing that data you could try the following

PHP Code:
$config['csrf_protection'] = TRUE;
$config['csrf_regenerate'] = FALSE; 

That will prevent the CSRF token from changing after each POST request is received at the server. Failure to use the "current" CSRF token will cause the error you're getting.

Or you could add the ajax URL to the whitelist of endpoints that don't require CSRF tokens, e.g.

PHP Code:
$config['csrf_exclude_uris'] = array('your_controller/and_method'); 

Or you could have each ajax request return the values from $this->security->get_csrf_token_name() and $this->security->get_csrf_hash() so you can update the page with the new CSRF token using javascript. From experience I've found this approach to be the most difficuilt to implement.

kelapamuda · 03-11-2019, 09:55 PM

And, in my mind, by $config['csrf_protection'] = TRUE;, at least my login form, will be more secure , is it yes ?

fabby · 03-12-2019, 06:43 AM

I send the CSRF along when submitting anything by post. I do it all in jquery however.

PHP Code:
<script>
    $("#discord-unsync").click(function(event) {
    event.preventDefault();
        $.ajax({
        type: "POST",
        url: "<?=base_url('auth/unsync_discord')?>",
        data: {
            <?php echo $this->security->get_csrf_token_name();?>: '<?php echo $this->security->get_csrf_hash();?>',
        }
        });
</script> 

dave friend · 03-12-2019, 09:15 AM

(03-11-2019, 09:55 PM)kelapamuda Wrote: And, in my mind, by $config['csrf_protection'] = TRUE;, at least my login form, will be more secure , is it yes ?

Yes, it is more secure and highly recommended. Likewise for setting $config['csrf_regenerate'] = TRUE;

But you have to be aware of how those settings affect program flow. In particular, the effect it has when using JavaScript to POST to the server. The scripts, both PHP and JavaScript, need to take into account what causes the CSRF hash to change and respond appropriately.

mihaic · 03-20-2019, 05:16 AM

(03-12-2019, 06:43 AM)fabby Wrote: I send the CSRF along when submitting anything by post. I do it all in jquery however.

PHP Code:
<script> $("#discord-unsync").click(function(event) { event.preventDefault(); $.ajax({ type: "POST", url: "<?=base_url('auth/unsync_discord')?>", data: { <?php echo $this->security->get_csrf_token_name();?>: '<?php echo $this->security->get_csrf_hash();?>', } }); </script>

Bear in mind that you have the :

Code:
$config['csrf_regenerate'] = TRUE;

the above will work only with the first POST.