CSRF : Codeigniter / VueJs VIA JSON - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5) +--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24) +--- Thread: CSRF : Codeigniter / VueJs VIA JSON (/showthread.php?tid=74671) |
CSRF : Codeigniter / VueJs VIA JSON - bartMommens - 10-22-2019 Hi, We are currently using VUEJS here we had a "hickup" with the csrf protection from Codeigniter when sending json data instead of default form-data. After some researching we've found multiple articles that suggested to rewrite the csrf_verify function of the CI_Securtiy core class: Example: http://teknosains.com/i/how-to-ajax-csrf-token-in-codeigniter-3-and-angularjs But i'm not really a big fan of overriding core functions of CI. I think there is a simpler solution (if you are only using post method) PHP Code: <?php By just filling the $_POST variable (which is empty) with the decoded json from php://input and calling the csrf_verify() function from the parent codeigniter CI_Security, you don't have to override the entire function and update the core of CI and not having to worry about missing changes in the csrf_verify() function. Can someone verify my approach and that it's viable, so that users in the future struggling with this same issue can just find a quick solution in this post ... not having to waste several hours like we did. Everything works as expected but I want to be sure this does not cause security holes, and thus giving people bad code. Thanks in advance. Bart RE: CSRF : Codeigniter / VueJs VIA JSON - yealoaiza - 11-06-2020 (10-22-2019, 02:20 PM)bartMommens Wrote: Hola, RE: CSRF : Codeigniter / VueJs VIA JSON - yealoaiza - 11-06-2020 Hola, la medida de extender la clase es muy adecuada, yo en la versión 3.1.6 de codeigniter agregué estas líneas para validar el JSON. if ($ válido! == VERDADERO) { $ input_data = json_decode (trim (file_get_contents ('php: // input')), true); if (! $ input_data ||! isset ($ input_data [$ this -> _ csrf_token_name], $ _COOKIE [$ this -> _ csrf_cookie_name])) { $ válido = FALSO; } else if (hash_equals ($ input_data [$ this -> _ csrf_token_name], $ _COOKIE [$ this -> _ csrf_cookie_name])) { $ válido = VERDADERO; } } |