Login

bartMommens · 10-22-2019, 02:20 PM

Hi,

We are currently using VUEJS here we had a "hickup" with the csrf protection from Codeigniter when sending json data instead of default
form-data. After some researching we've found multiple articles that suggested to rewrite the csrf_verify function of the CI_Securtiy core class:

Example:
http://teknosains.com/i/how-to-ajax-csrf...-angularjs

But i'm not really a big fan of overriding core functions of CI.

I think there is a simpler solution (if you are only using post method)

PHP Code:
<?php

class MY_Security extends CI_Security
{
    public function csrf_verify()
    {
        /* Fill the $_POST since it is empty with data with php://input (decode json) */
        $_POST = json_decode(file_get_contents('php://input'),true);
        /* call parent csrf_verify function (now $_POST is not empty) */
        parent::csrf_verify();
     }
} 

By just filling the $_POST variable (which is empty) with the decoded json from php://input and calling the csrf_verify() function from the parent codeigniter CI_Security, you don't have to override the entire function and update the core of CI and not having to worry about missing changes in the csrf_verify() function.

Can someone verify my approach and that it's viable, so that users in the future struggling with this same issue can just find a quick solution in this post ... not having to waste several hours like we did.

Everything works as expected but I want to be sure this does not cause security holes, and thus giving people bad code.

Thanks in advance.
Bart