CodeIgniter Forums

Full Version: [SOLVED] csrf protection issue
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hello,

I'm using Codeigniter 3.1.8 and my site is with https.

I looked many solutions with this issue but the solution i found don't work.

I try to do ajax post but csrf protection blocks me (403 error).

I have the hidden input with csrf name and hash value. I update the hash value on every request.

I send the good value by ajax json (hash value sent == cookie hash value).

I have the config csrf protection and regenerate set to TRUE.

When i set crsf protection to FALSE, my ajax request works.

Can you help me ? i spent so many hours to try to solve this issue...

Thanks and sorry for my bad english Blush
Like i said, i already apply this solution but i keep having the same problem : error 403.
Did you bring up your developer tools F12 in your web browser to see what's happening?

It should tell you what's causing the error.
Yes i verified i sent the good data and get the 403 error. Hmm, i think i will desactivate csrf and simulate it with an hook the csrf token Big Grin
(05-01-2018, 11:22 AM)yiujia Wrote: [ -> ]Yes i verified i sent the good data and get the 403 error. Hmm, i think i will desactivate csrf and simulate it with an hook the csrf token Big Grin

Poor choice.

The solution is not that complicated. Read the link (and links in) the one @insitefFXposted. All the wisdom you need is there.
Ok after adding some log message to security class, i found the problem.

When i tried to send data in the form of JSON.stringify, $_POST is empty.
So i build the data like that : "field_name=" + field_name_value + "&field_name2=" + field_name2_value and so on.

Thanks for your help.
If you are using JQuery then the function .serializeArray() is very useful for gathering field values.
If you prefer using pure JavaScript then FormData is your friend.

Either way, you collect all the input values with very few lines of code.
I try to use pure Javascript only. Wink
Hmm i already see FormData but there is limitations for browser compatibility.

I just begin to replace jQuery with pure javascript.

Thanks