+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: Ajax request and regenerate csrf (/showthread.php?tid=68539)
Ajax request and regenerate csrf - pippuccio76 - 07-23-2017
hi , sorry for english , i must get some value from a db to populate a select .
this is my js code :
Code:
<script>
$(document).ready(function() {
$("#regione_id").change(function(){
$("#comune_id").html('<option value="" selected="selected">-- seleziona --</option>');
var regione_id = $("#regione_id").val();
var csrfName = '<?php echo $this->security->get_csrf_token_name(); ?>';
var csrfHash = '<?php echo $this->security->get_csrf_hash(); ?>';
console.log(regione_id);
$.ajax({
type: "POST",
url: "<?php echo site_url(); ?>/user/get_province",
data: {
csrfName:csrfHash,
regione:regione_id
},
dataType: "html",
success: function(msg)
{
$("#province_id").html(msg);
},
error: function()
{
alert("Chiamata fallita, si prega di riprovare...");
}
});
});this is the controller :
Code:
function get_province(){
$data = array('data'=> 'data to send back to browser');
$csrf = $this->security->get_csrf_hash();
$this->output
->set_content_type('application/json')
->set_output(json_encode(array('data' => $data, 'csrf' => $csrf)));
return $this->user_model->get_province();
}If i have only one call it work otherwise i have error 403 .
I can solve it by set $config['csrf_regenerate'] to FALSE but is it secure ?
RE: Ajax request and regenerate csrf - spjonez - 07-24-2017
If you don't need to support concurrent requests pass the new CSRF token back from CI and into your success callback and set it to a variable in JavaScript. Pass the value of your JS variable on each request.
If you do require concurrent requests set regenerate to false. Another option is to use a queue to ensure only a single request fires at any given time.
RE: Ajax request and regenerate csrf - pippuccio76 - 07-24-2017
(07-24-2017, 10:19 AM)spjonez Wrote: If you don't need to support concurrent requests pass the new CSRF token back from CI and into your success callback and set it to a variable in JavaScript. Pass the value of your JS variable on each request.
If you do require concurrent requests set regenerate to false. Another option is to use a queue to ensure only a single request fires at any given time.
This is a registration form , i must populate 3 select , the first populate the second and the second the tird . can i set regenerate to false ? But if i set false is false for every part of site?
Is it secure?