CodeIgniter Forums

Full Version: [SOLVED] CSRF issue in only one controller
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Good morning,

I'm used to load ajax controllers with jquery ajax, I know that I must send  :
data: {'<?php echo $this->security->get_csrf_token_name(); ?>': '<?php echo $this->security->get_csrf_hash(); ?>'},

It works perfectly for all my contollers behind except one wich works when I disable CSRF protection but when I enable it the result is the CI 403 response.

This controler is an Elasticsearch proxy, I've made a workaround by  disabling CSRF on this controller and checking the csrf cookie by myself, but it's a little bit frustrating to not understand why I can't use it like the other ajax controllers.
This is the famous controller wich return 403 with csrf enabled :
PHP Code:
('BASEPATH') OR exit('No direct script access allowed');

 * Classe du proxy recevant les requêtes Ajax et les retransmet à ElasticSearch de façon sécurisée
class EsProxy extends CI_Controller implements JsonSerializable {

   private $esHost;
   private $esPort1;
   private $esPort2;
   private $esIndex;
   private $esType;

   public function __construct() {
->esHost $this->config->item('esHost');
       $this->esPort1 $this->config->item('esPort1');
       $this->esPort2 $this->config->item('esPort2');
       $this->esIndex $this->config->item('esIndex');
       $this->esType $this->config->item('esTypeStages');

   public function jsonSerialize() {
       return (object) get_object_vars($this);

     * @param type $request
   public function index(string $request) {
// protection contre les request vides 
       //@todo filtrer caractères non alpha
       if($request===null || !is_string($request)){
           throw new Exception("Error : request is not a valid string request !");
($this->input->cookie('csrf_cookie_name') !==  $this->security->get_csrf_hash()){
           $this->output->set_status_header(403,"Request not allowed !");

       // sécurisation de la source de la requête
       if ($_SERVER['REMOTE_ADDR'] === $this->config->item('esHost')) {

           //instanciation elastica
           $elasticaClient = new \Elastica\Client(array(
               'servers' => array(
                   array('host' => $this->esHost'port' => $this->esPort1),
                   array('host' => $this->esHost'port' => $this->esPort2)
// paramètres elastica
           $index $elasticaClient->getIndex($this->esIndex);
           $type $index->getType($this->esType);
                "from": 0, "size": 20,
                "query": {
                    "query_string": {
                        "fields": ["contenu^2", "objectifs", "intitule_stage^3", "mmp", "mots_cles^5"],
                        "query": "'
                "highlight": {
                    "order": "score",
                    "fields": {
                        "intitule_stage": {"fragment_size": 560, "number_of_fragments": 3, "pre_tags": ["<em class=\"highlight\">"], "post_tags": ["</em>"]},
                        "objectifs": {"fragment_size": 100, "pre_tags": ["<em class=\"highlight\">"], "post_tags": ["</em>"]},
                        "mmp": {"fragment_size": 60, "pre_tags": ["<em class=\"highlight\">"], "post_tags": ["</em>"]},
                        "mots_cles": {"fragment_size": 60, "pre_tags": ["<em class=\"highlight\">"], "post_tags": ["</em>"]},
                        "contenu": {"fragment_size": 100, "pre_tags": ["<em class=\"highlight\">"], "post_tags": ["</em>"]}
$index->getName() . '/' $type->getName() . '/_search';
           $responseArray $response->getData();
// entetes http json
} else {
           throw new Exception("request source unauthorized ".$_SERVER['REMOTE_ADDR']);
function test(){

Do you have an answer to this curious issue ?

Thanks for your help  Wink
Ok Ive found the solution it was about the contentType: "application/json; charset=utf-8" which empty the $POST vars delete this and it works like a charm !
I hope it will help.