Multple CSRF token? |
Hello CI community I am pretty new to CI and using CI3 in my site
I have a ajax based form that may send more than one post request to a controller method, but the problem is once a request sent then the CSRF token fails from the second request. I am generating CSRF like this- PHP Code: $this->security->get_csrf_hash(); Thanks
you could simply disable csrf for that page in the config.php: http://www.codeigniter.com/userguide3/li...rgery-csrf
Also, take a look at CSRF regeneration. Website: http://avenir.ro
Hi rakibtg,
I recently ran into this dilemma and the solution that I went with is as follows: - When the page loads, echo the first token into a hidden input in the form. - On each ajax request (first & thereafter) send a new token in the response headers - Store that token for use with the next request I used $.ajaxSetup() to add the token to each AJAX call and the $.ajaxSuccess() to store the new token on each AJAX response. Here are some code samples to give you a better idea: 1. Ajax_Controller.php (receives ajax calls from browser) PHP Code: header('CI-CSRF-Token: '. $this->input->security->get_csrf_hash()); // pass a new token back on each request 2. ajax-helper.js (loaded on every page that uses ajax calls) Code: //Setup AJAX to use the first token from the hidden input - see footer.php 3. footer.php (Common footer for all pages, so all pages include an initial CSRF) PHP Code: <input type="hidden" id="csrf" name="<?= $csrf->name; ?>" value="<?= $csrf->hash; ?>" /> Obviously, this is only required if you're using CSRF regeneration but it sounds like you are. To me, this seems the most secure method and doesn't require you to disable CSRF etc. Let me know if that make sense! Dave
If you're using CI3 set csrf_regenerate to false, echo the name/hash into an input and send it along with each request. Regenerating the token brings almost 0 security advantage and any concurrent requests will break if you have it set to true. If a user clicks the back button and tries to resubmit a form it will break as well as the token will be stale.
(03-01-2015, 10:52 AM)spjonez Wrote: If you're using CI3 set csrf_regenerate to false, echo the name/hash into an input and send it along with each request. Regenerating the token brings almost 0 security advantage and any concurrent requests will break if you have it set to true. If a user clicks the back button and tries to resubmit a form it will break as well as the token will be stale. Its a great idea! Thank You so much for sharing...
(03-01-2015, 10:52 AM)spjonez Wrote: If you're using CI3 set csrf_regenerate to false, echo the name/hash into an input and send it along with each request. Regenerating the token brings almost 0 security advantage and any concurrent requests will break if you have it set to true. If a user clicks the back button and tries to resubmit a form it will break as well as the token will be stale. woow this is awesome for me but i this way what about security? if i set it to TRUE, how my much be secure?
ressan.ir
CI is nice |
Welcome Guest, Not a member yet? Register Sign In |