Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter General Help CSRF only on POST request, reason?
CSRF only on POST request, reason?
  • Offline mwhitney
    Posting Freak
  • *****
  • Posts: 1,101
    Threads: 4
    Joined: Nov 2014
    Reputation: 95
#5
03-06-2015, 09:36 AM

(03-05-2015, 07:22 PM)silentium Wrote: Is there any way to control the error message if the token is invalid or missing? Atm it loads a error view template. I would like to have it return JSON.

You can do this by creating an application/core/MY_Security class which extends CI_Security. The simplest solution would be to override just the csrf_show_error() method, which would probably also be fairly easy to maintain in the long term (currently, in both CI 2 and 3, the method just calls show_error() with the message 'The action you have requested is not allowed.', though CI3 adds the 403 error code).

In theory, a quick read of the csrf_verify method indicates that it attempts to perform cookie-based CSRF verification for requests which are not POST requests.
Bonfire
Practical CodeIgniter 3
CodeIgniter Testing Guide
Reply


Messages In This Thread
CSRF only on POST request, reason? - by silentium - 03-05-2015, 07:22 PM
RE: CSRF only on POST request, reason? - by james - 03-06-2015, 06:51 AM
RE: CSRF only on POST request, reason? - by mwhitney - 03-06-2015, 09:36 AM
RE: CSRF only on POST request, reason? - by Narf - 03-06-2015, 01:14 PM



Theme © iAndrew 2016 - Forum software by © MyBB