CSRF : Codeigniter / VueJs VIA JSON |
Hi,
We are currently using VUEJS here we had a "hickup" with the csrf protection from Codeigniter when sending json data instead of default form-data. After some researching we've found multiple articles that suggested to rewrite the csrf_verify function of the CI_Securtiy core class: Example: http://teknosains.com/i/how-to-ajax-csrf...-angularjs But i'm not really a big fan of overriding core functions of CI. I think there is a simpler solution (if you are only using post method) PHP Code: <?php By just filling the $_POST variable (which is empty) with the decoded json from php://input and calling the csrf_verify() function from the parent codeigniter CI_Security, you don't have to override the entire function and update the core of CI and not having to worry about missing changes in the csrf_verify() function. Can someone verify my approach and that it's viable, so that users in the future struggling with this same issue can just find a quick solution in this post ... not having to waste several hours like we did. Everything works as expected but I want to be sure this does not cause security holes, and thus giving people bad code. Thanks in advance. Bart (10-22-2019, 02:20 PM)bartMommens Wrote: Hola,
Hola, la medida de extender la clase es muy adecuada, yo en la versión 3.1.6 de codeigniter agregué estas líneas para validar el JSON.
if ($ válido! == VERDADERO) { $ input_data = json_decode (trim (file_get_contents ('php: // input')), true); if (! $ input_data ||! isset ($ input_data [$ this -> _ csrf_token_name], $ _COOKIE [$ this -> _ csrf_cookie_name])) { $ válido = FALSO; } else if (hash_equals ($ input_data [$ this -> _ csrf_token_name], $ _COOKIE [$ this -> _ csrf_cookie_name])) { $ válido = VERDADERO; } } |
Welcome Guest, Not a member yet? Register Sign In |