Welcome Guest, Not a member yet? Register   Sign In
Ajax - CSRF
#1

[eluser]Ondrej[/eluser]
Hey there,

I've tried searching through this forum, but I wasn't able to find an answer that would work.

I'm working on back-office app and I would like to make a simple list of added news entries with a quick preview when you click on corresponding entry title. Here's the jQuery code:

Code:
//$(selector).hover(callbackIn, callbackOut);
$(".post_title").hover(
    function(){
        $(this).addClass("underlined");
    },
    function(){
        $(this).removeClass("underlined");
});

$(".post_title").click(function()
{
    var newsTitle = $(this).text();            
    var ajaxData = {
        title: newsTitle,
        csrf_token_name: $.cookie("csrf_cookie_name")
    };
            
    // $.post(url, data, callback, datatype)
    $.post(base_url + "admin/ajaxgateway", ajaxData, function(data){
               // Process data, do stuff
           }, "json");
        
        });

I can't get it to work with CSRF protection on, no matter which solution I try. If I switch it off, everything works flawlessly. Any ideas?

Thanks in advance.
#2

[eluser]InsiteFX[/eluser]
by Eric Barnes - CodeIgniter CSRF Protection With Ajax

InsiteFX
#3

[eluser]Ondrej[/eluser]
[quote author="InsiteFX" date="1309923346"]by Eric Barnes - CodeIgniter CSRF Protection With Ajax

InsiteFX[/quote]

I've already tried that, without any success.

On a side-note, when is the CSRF cookie actually set? I think that might be the problem.

Ondrej
#4

[eluser]InsiteFX[/eluser]
I think there is another post here on the forums that shows how to do it using a hidden form field.

Code:
<input type="hidden" name="<?php echo $this->security->csrf_token_name?>" value="<?php echo $this->security->csrf_hash?>" />

InsiteFX
#5

[eluser]Ondrej[/eluser]
[quote author="InsiteFX" date="1309968649"]I think there is another post here on the forums that shows how to do it using a hidden form field.

Code:
<input type="hidden" name="<?php echo $this->security->csrf_token_name?>" value="<?php echo $this->security->csrf_hash?>" />

InsiteFX[/quote]

Thanks, that did trick; however, I checked Security library and both properties are protected, but there are accessor methods which do the job.

I did this:

Code:
<input type="hidden" value="<?php echo $this->security->get_csrf_hash() ?>" id="csrf_protection" />

And the array I sent through jQuery:

Code:
var ajaxPostData = {
    "type": "news",
    "title": postTitle,
    "ci_csrf_token": $("#csrf_protection").val()                
};

Thanks a lot for help, I'm out.

Ondrej
#6

[eluser]Ondrej[/eluser]
One more thing, I didn't want to make a new thread:

How do I "reverse" url_title() method? That is, once I get pretty-looking URL, how can I extract the original title from the url?

For example:

http://randomwebsite/blog/Boring-blog-entry -> Boring blog entry
#7

[eluser]InsiteFX[/eluser]
I would save the original in a variable or in the session. Then call it back when needed.

InsiteFX
#8

[eluser]SPeed_FANat1c[/eluser]
It sucks a little to repeat the same line in javascript when we want to post data. Isn't there some automatic way - when we use ajax post method - to automatically include ci_csrf_token into data?

one solution comes to my head would be to write a function something like this:

pseudocode:
Code:
function my_post(url, success_callback, post_data)
{
   var post_data_with_protection = {ci_csrf_token: ci_csrf_token};
   //formate the data arry
   foreach (post_data as post) {
      post_data_with_protection[] = post;
   }
  
   $.post(url, post_data_with_protection, success_callback);

}

what do you think? Or is there better solutions?




Theme © iAndrew 2016 - Forum software by © MyBB