CI 2.0 upgrade - all ajax calls result in "500 Internal Server Error"

[eluser]coolgeek[/eluser]
All of my ajax code is generating errors following my upgrade to CI2.0. The Firebug console shows the response as the following CI error

An Error Was Encountered

The action you have requested is not allowed.

The code is working correctly on my CI1.7.2 install.

The following example is used across the site for recommending content

Jquery code

Code:

$(".reclink").click(function(){
        var itag = '<img alt="recommended" title="recommended" class="icon" src="/images/site/accept.png" />';
        var p = $(this).attr('href');

        $(this).load('/ajax/recommend/add', {'uri': p});
        $(this).empty().replaceWith(itag);
        return false;
});

CI code

Code:

<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');

class Recommend extends CI_Controller {

    function __construct()
        {
            parent::__construct();
            $this->load->library('form_validation');
        }

    // add tracking link to object for user  
    function add() {
        $data = null;

        $this->form_validation->set_rules('uri', 'URI', 'trim|required|strip_tags|max_length[255]');

        if($this->form_validation->run() == TRUE ) {
            $uri = $this->input->post('uri');
            
            $segments = explode('/', $uri);
            $cnt = sizeof($segments);
            $obj_id = $segments[$cnt-1];
            $obj_type = $segments[$cnt-2];

            $uid = $this->tank_auth->get_user_id();
                    
            $this->load->model('Msystem_activity');
            $data['arr'] = $this->Msystem_activity->recommend_object($uid, $obj_type, $obj_id);
        }
    }
}

Any ideas why this is happening?

[eluser]michalsn[/eluser]
CSRF - check this topic: http://ellislab.com/forums/viewthread/163976/#827640

[eluser]coolgeek[/eluser]
okay, I solved my problem in actual forms by loading the token into a variable

Code:

var cct = $("input[name=ci_csrf_token]").val();

and adding it to my load request

Code:

$('#county').load('/ajax/counties/get', {'state_id': p, 'ci_csrf_token': cct}, function (data) {this.value = data;});

But the code in my original post doesn't use a form. It intercepts an anchor tag (progressive enhancement). The form gets created by the jquery load() function at the time of execution.

Do I have to add a form to every controller in which an anchor may be intercepted by a jquery load()? Or is there a better way to do this?

[eluser]coolgeek[/eluser]
Alright, new strategy, which seems to solve all of the problems.

I installed the jquery cookie plugin and I'm using that to set the variable in the jquery script, instead of interrogating the hidden form field.

Anybody see a problem with this strategy?

[eluser]Lawrence Leung[/eluser]
Thanks coolgeek, I got exactly the same problem.

I am not sure if this is better to put in the cookie (I am not good at using it). But for
var cct = $("input[name=ci_csrf_token]").val();
I think the name of the csrf token should be a secret and shouldn't be viewable in the client side. But if you put this inside the javascript, it becomes visible in the client side. And the original usage of the csrf will be wasted. Am I right?

[eluser]coolgeek[/eluser]
[quote author="Lawrence Leung" date="1297774256"]
I think the name of the csrf token should be a secret and shouldn't be viewable in the client side. But if you put this inside the javascript, it becomes visible in the client side.[/quote]

The name of the token doesn't matter... the value does

More info:

AJAX with CSRF Protection in Codeigniter 2.0

[eluser]Lawrence Leung[/eluser]
Thank you very much, I should read the doc carefully.

[eluser]coolgeek[/eluser]
Note that the cookie has been renamed from ci_csrf_token to csrf_token_name in the official 2.0 release.

[eluser]Unknown[/eluser]
thanks. this post is my solution.