After hours of of research I came up with the idea to check the security class.
Somehow the json post data from axios, or Superagent, or $http.post from my Vuejs file returns an empty ARRAY.
So the checkup for the CSRF token is always false because there is no data!
Therefore, if the $_POST is empty I check if there is any raw post input data and decode it
By extending the Security core class, adding MY_Security.php to application/core
PHP Code:
<?php
class MY_Security extends CI_Security{
public function csrf_verify(){
<?php
class MY_Security extends CI_Security{
public function csrf_verify(){
Copied the csrf_verify function from the original
PHP Code:
//if the $_POST array is empty, check for $raw_input_stream / php://input
if(!$_POST){
$_POST = json_decode(file_get_contents("php://input"), true);
}
// Check CSRF token validity, but don't error on mismatch just yet - we'll want to regenerate
$valid = isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name])
&& hash_equals($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name]);
Is there a better approach for this problem?
