CodeIgniter Forums

Full Version: CSRF Token with ajax
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi, I wanna make a user edit page, a page that use ajax to save settings.
Also on that page I would like to use csrf protection.
So .. on my form I use: <?php echo form_hidden($csrf); ?> to generate the code:

Code:
<input type="hidden" name="nDR0S3dw" value="xVcuF6swebLtUEJySNW3" /> //for example.

When I press save changes first time works great ... but second time will fail because the token generates every refresh and if I will not refresh the page with the form I will have same token on the hidden input.
The function that verify the token is on the picture attached and is the one from ion auth library.


I found a resolutin but is still secure? I attached 2 new screenshots.
I can't tell if this is what you are doing, but, generally speaking, I would just pass the CSRF Token name and hash (as retrieved by $this->security->get_csrf_token_name() and $this->security->get_csrf_hash()) in my response, then create the hidden input for the new token/hash pair in the AJAX success method.
Well I do the same. In my response I create in csrf div the new input hidden every time.

[Image: attachment.php?aid=217]