ajax Forbidden error - mstdmstd - 01-08-2016
Hello,
In my codeigniter 3.0.3
I have page for uploading(using jquery.fileupload library)/show listing/deleting of images
In control I send security object
PHP Code: $data['security'] = $this->security;
and in view in ajax post requests I send parameters from this security object. It works in 1 case and retiurns 403(Forbidden) error in 2 cases:
Deleting Image :
Code: var post_data = {
'dp_csrf_tk' : 'a574872384f065fcabf9747d20f9cff3'
};
alert( "post_data::"+var_dump(post_data) ) // This alert shows "post_data::obj.dp_csrf_tk = 6378d5922c14b0ffb43bd1aae135e3e8"
jQuery.ajax({ // returns 403 (Forbidden)
url: "http://local-displo-wp.com/backend/en/categories/delete_category_image?category_id=" + encodeURIComponent(category_id) + '&image_name='+encodeURIComponent(image_name),
type: 'POST',
data: post_data,
dataType: 'json',
success: function(result) {
....
}
});
Uploading of image :
Code: var post_data = {
'<?php echo $security->get_csrf_token_name(); ?>' : '<?php echo $security->get_csrf_hash(); ?>'
};
alert( "post_data::"+var_dump(post_data) ) // This alert shows "post_data::obj.dp_csrf_tk = 6378d5922c14b0ffb43bd1aae135e3e8"
$('.category_image_fileupload').fileupload( { // returns 403 (Forbidden)
url: "<?php echo site_url('categories/upload_category_image?category_id') ?>=" + category_id+"&category_name="+encodeURIComponent(category_name),
data: post_data,
dataType: 'json',
done: function (e, data) {
...
},
progressall: function (e, data) {
var progress = parseInt(data.loaded / data.total * 100, 10);
$('#progress .progress-bar').css(
'width',
progress + '%'
);
}
}).prop('disabled', !$.support.fileInput)
.parent().addClass($.support.fileInput ? undefined : 'disabled');
Loading Of images :
Code: var post_data = {
'dp_csrf_tk' : 'c4ac902758cdb8c657c32e11c631ccfc' // // This alert shows "post_data::obj.dp_csrf_tk = 856114439a276539dfc0a9617c0eb8ce"
};
alert( "post_data::"+var_dump(post_data) )
jQuery.ajax({ // all data returns ok
url: "http://local-displo-wp.com/backend/en/categories/load_category_images?category_id="+category_id+"&category_name="+encodeURIComponent(category_name),
type: 'POST',
data: post_data,
dataType: 'json',
success: function(result) {
//alert( "result::"+var_dump(result) )
if (result.result == 'success') {
$('#div-category-images').html(result.ret_html)
}
}
});
In all 3 requests ajax request as "POST" with "json" dataType return parameter wuth the same csrf array as parameters.
in url methods of the same control http://local-displo-wp.com/backend/en/categories
I do not see why only third requests works ok but 2 first returns error?
RE: ajax Forbidden error - mr_pablo - 01-08-2016
Instead of defining
PHP Code: $data['security'] = $this->security;
Have you tried passing the CRSF token data like it outlines here, http://www.codeigniter.com/user_guide/libraries/security.html#cross-site-request-forgery-csrf ?
RE: ajax Forbidden error - mstdmstd - 01-09-2016
yes, in my backend/application/config/config.php :
Code: $config['global_xss_filtering'] = FALSE;
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'dp_csrf_tk';
$config['csrf_cookie_name'] = 'dp_csrf_ck';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array();
I remade control with setting name/hash :
$data['csrf'] = array(
'name' => $this->security->get_csrf_token_name(),
'hash' => $this->security->get_csrf_hash()
);
$this->load->view( 'categories/edit', $data );
but seems that was not issue of problem.
In my form there is line like:
Code: <input type="hidden" name="dp_csrf_tk" value="b0e299db72dba3d32fa60565ebe05662" />
This page is category editor with 2 fields name, description and listing of images. Without hidden input above
tring to submit this form I got error:
The action you have requested is not allowed.
But this csrf protection for the form with post method. I upload /show / delete images with methods I mentioned above.
So in source I see 2 similar methods, one of working ok, the second raise error 403 (Forbidden) :
VALID REQUEST:
Code: var post_data = {
'dp_csrf_tk' : 'aeebc203bca894d36aad8d41e04f43de'
};
alert( "loadCategoryImages LISTING post_data::"+var_dump(post_data) )
jQuery.ajax({
url: "http://local-displo-wp.com/backend/en/categories/load_category_images?category_id="+category_id+"&category_name="+encodeURIComponent(category_name),
type: 'POST',
data: post_data,
dataType: 'json',
success: function(result) {
...
}
});
INVALID REQUEST with error 403 (Forbidden) :
Code: var post_data = {
'dp_csrf_tk' : 'aeebc203bca894d36aad8d41e04f43de'
};
alert( "deleteCategoryImage post_data::"+var_dump(post_data) )
jQuery.ajax({
url: "http://local-displo-wp.com/backend/en/categories/delete_category_image?category_id=" + encodeURIComponent(category_id) + '&image_name='+encodeURIComponent(image_name),
type: 'POST',
data: post_data,
dataType: 'json',
success: function(result) {
...
}
});
I do not see the difference...
and putting in config the url from the second wrong request :
PHP Code: $config['csrf_exclude_uris'] = array('categories/delete_category_image');
I have the same error 403 (Forbidden)
|