Welcome Guest, Not a member yet? Register   Sign In
[4.5.5] Strangeness with CSRF, sessions, AJAX
#1
Question 

I'm using CI 4.5.5 and session based CSRF.

I have token randomization enabled, and token regeneration disabled.

I have set custom a custom token name, a custom header name, and I've set redirect to false.

For regular POSTs, it works as expected, except that when the CSRF validation fails, I simply get a 'false' return from the call


PHP Code:
if ( ! $this->request->is'post' ) ) {
  error_log'Not POST' );
  ..
  ..


I would have expected something else to happen, like a SecurityException being thrown.

For AJAX POSTs, it does not work as expected, so I guess I'm doing something wrong.

I'm passing the correct headers, but they seem to be stripped by something. I know they're passed with their correct value and correct (header) name, because I output them in other fields just to check, and in my global before filters, I have my class defined before csrf. But, I still get a 403 (after my class outputs all request headers in the PHP log file).

The AJAX call looks like this:


Code:
let response = await fetch( myURL, {
                    method: "POST",
                    headers:{
                        "Accept": "application/json",
                        "Content-Type": "application/json",
                        "X-Requested-With": "XMLHttpRequest",
                        "<?php echo  csrf_header(); ?>": "<?php echo csrf_hash(); ?>",
                        "ThisIsMyHeader": "ThisIsMyValue and '" + "<?php echo csrf_header(); ?>'"
                        "ThisIsMyHeader2": "ThisIsMyValue and '" + "<?php echo csrf_hash(); ?>'"
                    },
                    mode: "same-origin",
                    cache: "no-cache",
                    credentials: "same-origin",
                    body: JSON.stringify(filter_array),
                }
            );

           
The ThisIsMyHeader and ThisIsMyHeader2 values contain what I would expect according to my configuration.


Also, the hash is regenerated every time I re-load the page, even though I have disabled csrf token regeneration.

-joho
Reply
#2

Follow-up:

As an interesting side note, even if I mask the added header (my configured CSRF), CI still seems to hit on it, process it, and remove it. Like this:

Code:
X-abcThisIsMyCSRFHeaderxyz

It's nowhere to be seen when I dump all headers. And this is before CSRF processing in CI takes place, or at least that what it looks like. I've checked the outgoing request headers, and it's there.

-joho
Reply
#3
Question 

No takers?

-joho
Reply




Theme © iAndrew 2016 - Forum software by © MyBB