I'm using CI 4.5.5 and session based CSRF.
I have token randomization
enabled, and token regeneration
disabled.
I have set custom a custom token name, a custom header name, and I've set redirect to false.
For regular POSTs, it works as expected, except that when the CSRF validation fails, I simply get a 'false' return from the call
PHP Code:
if ( ! $this->request->is( 'post' ) ) {
error_log( 'Not POST' );
..
..
}
I would have expected something else to happen, like a SecurityException being thrown.
For AJAX POSTs, it does not work as expected, so I guess I'm doing something wrong.
I'm passing the correct headers, but they seem to be stripped by something. I know they're passed with their correct value and correct (header) name, because I output them in other fields just to check, and in my global before filters, I have my class defined
before csrf. But, I still get a 403
(after my class outputs all request headers in the PHP log file).
The AJAX call looks like this:
Code:
let response = await fetch( myURL, {
method: "POST",
headers:{
"Accept": "application/json",
"Content-Type": "application/json",
"X-Requested-With": "XMLHttpRequest",
"<?php echo csrf_header(); ?>": "<?php echo csrf_hash(); ?>",
"ThisIsMyHeader": "ThisIsMyValue and '" + "<?php echo csrf_header(); ?>'"
"ThisIsMyHeader2": "ThisIsMyValue and '" + "<?php echo csrf_hash(); ?>'"
},
mode: "same-origin",
cache: "no-cache",
credentials: "same-origin",
body: JSON.stringify(filter_array),
}
);
The
ThisIsMyHeader and
ThisIsMyHeader2 values contain what I would expect according to my configuration.
Also, the hash is
regenerated every time I re-load the page, even though I have
disabled csrf token regeneration.
-joho