| Questions about csrf protection |
working forward protecting my site, I enabled csrf protection and noted two effects, which I do not understand:
1) I use jquery autocomplete which calls a function which is not in the "except" list for csrf and the ajax call also do not pass any token. Still, the autocomplete works. Is this magic? 2) In trying to understand the effect under 1), I added the two methods PUT and GET to csrf in Filters.php: Code: public array $methods = [I can live with this two effects at the moment, since 1) I do not want to filter autocomplete and 2) I don't need the $methods array, but I'd like to know for the future... Thank you btw for the good work! Everything works perfectly as soon as one understand how to use it.
Run ./spark routes in terminal. Show applied filters for URL
See https://github.com/codeigniter4/CodeIgni...s.php#L398 Order: PHP Code: $this->processFilters($uri);
(08-14-2024, 06:17 AM)ozornick Wrote: Run ./spark routes in terminal. Show applied filters for URL Thank you. So If I understand right, the $methods should not override the $globals i.e. the "except" list. Here the output of spark routes WITH the $methods filled with GET & POST (the csrf seems to be just added by setting the $methods): Code: +-----------+----------------------------+--------------------+--------------------------------------------------------------------+---------------------------------------+---------------+And without: Code: +-----------+----------------------------+--------------------+--------------------------------------------------------------------+----------------------------------+---------------+The mentioned autocomplete functions are in the Catalogue class controller
First, if you set the csrf filter to GET requests, it does not protect the GET requests (does not check the CSRF token).
It just puts a CSRF token in <form> when you use Form helper to create <form> tag. Quote:Warning
I do net set the csrf filter to GET, the first example was only to show what happens if I define the $methods array. My normal setting is the second one, with $methods = []. I do not however understand, why, even in the case where I do not explicitly set $method=['GET'} the csrf filter is applied to GET as shown in the second output...
My ajax calls are always POST.
How did you set the csrf filter?
If you set it in $globals, it will be applied to all URIs.
I did, as indicated in the documentation under "Enable CSRF Protection", set it in $globals. What would be the other method?
Using $globals is good for most environment.
https://codeigniter.com/user_guide/libra...protection |
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
