CodeIgniter Forums
[4.5.5] Strangeness with CSRF, sessions, AJAX - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forumdisplay.php?fid=30)
+--- Thread: [4.5.5] Strangeness with CSRF, sessions, AJAX (/showthread.php?tid=91886)



[4.5.5] Strangeness with CSRF, sessions, AJAX - joho - 10-30-2024

I'm using CI 4.5.5 and session based CSRF.

I have token randomization enabled, and token regeneration disabled.

I have set custom a custom token name, a custom header name, and I've set redirect to false.

For regular POSTs, it works as expected, except that when the CSRF validation fails, I simply get a 'false' return from the call


PHP Code:
if ( ! $this->request->is'post' ) ) {
  error_log'Not POST' );
  ..
  ..


I would have expected something else to happen, like a SecurityException being thrown.

For AJAX POSTs, it does not work as expected, so I guess I'm doing something wrong.

I'm passing the correct headers, but they seem to be stripped by something. I know they're passed with their correct value and correct (header) name, because I output them in other fields just to check, and in my global before filters, I have my class defined before csrf. But, I still get a 403 (after my class outputs all request headers in the PHP log file).

The AJAX call looks like this:


Code:
let response = await fetch( myURL, {
                    method: "POST",
                    headers:{
                        "Accept": "application/json",
                        "Content-Type": "application/json",
                        "X-Requested-With": "XMLHttpRequest",
                        "<?php echo  csrf_header(); ?>": "<?php echo csrf_hash(); ?>",
                        "ThisIsMyHeader": "ThisIsMyValue and '" + "<?php echo csrf_header(); ?>'"
                        "ThisIsMyHeader2": "ThisIsMyValue and '" + "<?php echo csrf_hash(); ?>'"
                    },
                    mode: "same-origin",
                    cache: "no-cache",
                    credentials: "same-origin",
                    body: JSON.stringify(filter_array),
                }
            );

           
The ThisIsMyHeader and ThisIsMyHeader2 values contain what I would expect according to my configuration.


Also, the hash is regenerated every time I re-load the page, even though I have disabled csrf token regeneration.


RE: [4.5.5] Strangeness with CSRF, sessions, AJAX - joho - 10-30-2024

Follow-up:

As an interesting side note, even if I mask the added header (my configured CSRF), CI still seems to hit on it, process it, and remove it. Like this:

Code:
X-abcThisIsMyCSRFHeaderxyz

It's nowhere to be seen when I dump all headers. And this is before CSRF processing in CI takes place, or at least that what it looks like. I've checked the outgoing request headers, and it's there.


RE: [4.5.5] Strangeness with CSRF, sessions, AJAX - joho - 12-03-2024

No takers?