How to use POST while keeping CSRF as true - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5) +--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24) +--- Thread: How to use POST while keeping CSRF as true (/showthread.php?tid=69633) |
How to use POST while keeping CSRF as true - kratisalgia - 12-28-2017 Hi, I am using Codeigniter 3.1.1. And I want to submit the form using AJAX with CSRF protection enabled. So, I have set $config['csrf_protection'] = TRUE in config.php. But the POST request does not work and gives error as 'Forbidden' as I set the CSRF variable as TRUE. Can anybody help how can I use POST request while keeping $config['csrf_protection'] as TRUE. Below is the PHP code for reference: Code: <?php Below is the AJAX code for reference: Code: $(document).ready(function(){ Thanks, -Krati RE: How to use POST while keeping CSRF as true - PaulD - 12-28-2017 This has been asked and answered many times. When you do an ajax post you need to read in the csrf hash and token from the form hidden field values and submit that with the ajax post. When you return your results, you also need to return the new token value. Then update your form with the new value (as it has now changed). Then every ajax call and your form will have or read the same, current, token value. There are lots of code samples on the forum. Hope that helps, Paul. PS Do not be tempted to turn off the CSRF for your ajax calls. Once you have this working it becomes a trivial (albeit tedious) matter to do for all your ajax posts. If possible, use a get and then the CSRF is not regenerated. RE: How to use POST while keeping CSRF as true - dave friend - 12-28-2017 This need not be tedious. Since you are using form_open() much is greatly simplified mostly because doing so adds the hidden field with the CSRF token and hash to the form. This field can easily be included in the data posted by $.ajax. The easiest way to proceed is change your JavaScript so that Instead of getting the values of the form inputs individually use the JQuery method .serializeArray() Here would be my preferred way to go about this. Code: $(document).ready(function () { I try to avoid executing PHP code in the JavaScript. Trying to do so almost always turns into a "gotcha" in my experience. That's why I combine these two lines to create the URL for the ajax call Code: var baseURL = window.location.protocol + "//" + window.location.hostname; RE: How to use POST while keeping CSRF as true - kratisalgia - 12-29-2017 (12-28-2017, 02:24 PM)Thanks for your helps. :)I have made the changes as per your comment. But the thing is, my value does not pass in \success' function and still gives 'forbidden' as error.Thanks, -Krati Wrote: Hi Dave, RE: How to use POST while keeping CSRF as true - dave friend - 12-29-2017 Some troubleshooting tips:
If you are using $config['csrf_regenerate'] = TRUE; then you will have to change what you return and how it is used in the success function. Let us know if you need help with that. RE: How to use POST while keeping CSRF as true - kratisalgia - 01-01-2018 Thanks for your help. For point number 2, this is what I can see in developer tool: General Request URL:http://localhost/Projects/New_folder/dashboards/user/country_actvity_search Request MethodOST Status Code:403 Forbidden Remote Address:[::1]:80 Referrer Policy:no-referrer-when-downgrade Response Headers Connection:Keep-Alive Content-Length:1131 Content-Type:text/html; charset=UTF-8 Date:Tue, 02 Jan 2018 05:58:20 GMT Keep-Alive:timeout=5, max=99 Server:Apache/2.4.28 (Win32) OpenSSL/1.0.2l PHP/7.1.10 Set-Cookie:csrf_cookie_name=08af56109abf30e2787847894cfcc24c; expires=Tue, 02-Jan-2018 07:58:20 GMT; Max-Age=7200; path=/; domain=http://localhost/Projects/New_folder/dashboards/ X-Powered-ByHP/7.1.10 Request Headers Accept:*/* Accept-Encoding:gzip, deflate, br Accept-Language:en-US,en;q=0.9 Connection:keep-alive Content-Length:86 Content-Type:application/x-www-form-urlencoded; charset=UTF-8 Cookie:ci_session=1e4emamhsuvf2ho1pjc5tnavaiup1243 Host:localhost Origin:http://localhost Referer:http://localhost/Projects/New_folder/dashboards/user/country_overview User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36 X-Requested-With:XMLHttpRequest Form Data csrf_token_name:cdbbad48a99402d377961d7348a1bc4c country_name:Sweden country_year:2017 Also, I have kept $config['csrf_regenerate'] = FALSE; Can you help with the issue. Thanks, -Krati RE: How to use POST while keeping CSRF as true - XtreemDeveloper - 01-01-2018 You can get csrf_token_name and csrf_hash code and pass these parameter in POST var csrfName = '<?php echo $this->security->get_csrf_token_name(); ?>', csrfHash = '<?php echo $this->security->get_csrf_hash(); ?>'; RE: How to use POST while keeping CSRF as true - InsiteFX - 01-02-2018 You all should be using https:// now with Chrome... RE: How to use POST while keeping CSRF as true - dave friend - 01-02-2018 The csrf data is clearly being sent to the server as this shows. (01-01-2018, 11:21 PM)kratisalgia Wrote: Form Data But on the headers you show $config['csrf_regenerate'] seems to be set = TRUE. I say this because the value of csrf_cookie_name in "Form Data" is not the same as in the "Response Headers". The values will be the same when $config['csrf_regenerate'] = FALSE; Maybe some other configuration issue will be spotted if you share the $config settings you are using in Cookie Related Variables and Cross Site Request Forgery variables. RE: How to use POST while keeping CSRF as true - developer_fisdom - 06-05-2023 (01-02-2018, 06:42 AM)dave friend Wrote: The csrf data is clearly being sent to the server as this shows.is this thread solved? I have same issue. |