| csrf token and cookie |
The CSRF mechanism typically requires no intervention on your part. If you do go about messing with the csrf cookie you're likely to make matters worse.
As you know, when using PHP Code: $config['csrf_regenerate'] = TRUE; The CSRF cookie is set with a new hash value every time a POST request is made to the server. GET requests do not check the CSRF credentials and do not regenerate the CSRF hash. Why is typically underlined above? No intervention is needed if you're doing straight up http form processing ie. - the browser:
On the other hand, if you're using AJAX to make POST requests. Recall that each POST results in a new CSRF hash. If you don't supply the new hash to the currently loaded page the next POST will fail during csrf_verify(). The intervention required amounts to passing the new credentials back to the AJAX handler and incorporating that info into the next POST request. Incorporating the credentials can be done by either updating the value of the hidden CSRF field or by manipulating the data the AJAX request will send. Is there any AJAX involved in your implementation? If not and if you have not added any code trying to outsmart the CSRF implementation then it's hard to offer more advice without seeing the relevant controller and view code. |
| Messages In This Thread |
|
csrf token and cookie - by dwlamb - 02-15-2018, 02:16 PM
RE: csrf token and cookie - by dave friend - 02-16-2018, 09:05 AM
|
