Another CSFR question

[eluser]keld[/eluser]
Hi,

I've enabled CSFR in my config file and after realizing that all my POST from jqeury stopped working I searched the forum and found this helpful link:
http://ericlbarnes.com/blog/post/codeign..._with_ajax

The only issue is that it is still not working.
If I look at my cookies in firefox I see the csrf_token_myname cookie but there are no csrf_cookie_myname so in jquery when I have:

Code:

...
$.ajax({
            url: base_url+"mycontroller/myfunction",
            data: {widget_id : $(widget).attr('id'), fetch: 1, csrf_token_name: $.cookie("csrf_cookie_mysite")},
            type: "POST",
...

and I do a trace in the console, $.cookie("csrf_cookie_mysite") is equal to null but $.cookie("csrf_token_mysite") contains a random string.
I'm wondering why on Eric Barnes blog he's assigning the cookie to the token and why it is still not working on my site.

Any help is appreciated, thanks!

[eluser]bubbafoley[/eluser]
I'm pretty sure that there is only 1 CSRF cookie. Is csrf_cookie_name set to 'csrf_cookie_mysite' in your config?

Here's my config

Code:

$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;

I'm only seeing 1 cookie in Firefox http://d.pr/yNYX

[eluser]keld[/eluser]
My config file looks like this:

Code:

$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf_token_mysite';
$config['csrf_cookie_name'] = 'csrf_cookie_mysite';
$config['csrf_expire'] = 7200;

and when I do view cookies in Firefox I only see 4 cookies:
PHPSESSID
csrf_token_mysite
fbs_135056496568211 (the facebook connect cookie I believe)
mysite_cookie (cookie i created for users)

That's all, no csfr_cookie unforunately....

[eluser]InsiteFX[/eluser]
Opps just saw that you already read this!

CodeIgniter CSRF Protection With Ajax - by Eric Barnes

Your using base_url were Eric uses site_url.

Code:

url: base_url+"mycontroller/myfunction",

InsiteFX

[eluser]keld[/eluser]
Hi InsiteFX, yes Eric is using site_url but I'm using base_url for mine. I know it's working as I'm using this accross my entire site and as soon as I turn off CSRF in config.php, the ajax post works.

[eluser]InsiteFX[/eluser]
If your using jQuery 1.5 I belive read on the forums here that there was a bug that was stopping it from working, they had a fix for it. But I am not sure if thats your problem.

I'll look around and see what I can come up with.

Found this also

InsiteFX

[eluser]ELRafael[/eluser]
I have a search form using GET instead POST.
Maybe this can help you out.

Code:

$('form#your_form_id').submit(function(e) {
        var search_term = $('input.text_to_search').val();
        var token = $('input[name="ci_csrf_token"]').val();
        $.post(base_url+"site/encode_string/", { 'search_term': search_term, 'ci_csrf_token' : token },
            function(data) {
            search_term = data.encoded;
            url = '<?php echo $url; ?>/'+search_term;
            window.loc ation = url;
       }, 'json');

        e.preventDefault();
    });

Look the token var

Code:

token = $('input[name="ci_csrf_token"]').val();

@keld, in you case, you need to change ci_csrf_token to csrf_token_mysite.

I'm using JQuery, 1.5 (i guess :-S )

The method
site->encode_string is something like that:

Code:

$return = array();
foreach ( $_POST as $key => $value )
  $return[$key] = base64_encode($value);
return json_encode( $return );

[eluser]keld[/eluser]
Hmmmm I still can't it to work, this is what I have in my js:

Code:

$('div#star-rating div.rate_widget').each(function(i) {
        var widget = this;
        var csrf_token = $.cookie("csrf_token_mysite");
        $.ajax({
            url: base_url+"recipes/recipeRatings",
            data: {widget_id : $(widget).attr('id'), fetch: 1, csrf_token_name: csrf_token},
            type: "POST",
            cache: false,
            dataType: "json",
            success: function(data){
                $(widget).data( 'fsr', data );
                set_votes(widget);
            },
            error : function(XMLHttpRequest, textStatus, errorThrown) {
                $("#star-rating").find('#total_votes').text("Error parsing data. Try again later.");
            }
        });
    });

and my controller:

Code:

if(is_ajax())
        {
            if(isset($_POST['fetch']))
            {
                $rating_values = $this->Mc_home->getRatings();
                $this->firephp->log(json_encode($rating_values), "reading votes");
                echo json_encode($rating_values);
            }
}

The console give me a 500 server error even before entering the controller, it gets stuck in the post in my js file.

[eluser]ELRafael[/eluser]
IMHO

Don't use $.cookie
Try to fetch the token with
var token : $('input[name="csrf_token_mysite"]').val();
"unless the $.cookie is ok"

And try to alert the vars
alert(token) and so.

Do you use Firebug? It's a big friend :-)

Try to simplify your procedure, step by step.

i'm telling this cuz in a first moment everything seems ok.

without see your HTML, it's a little hard to figure out where is the problem. try pastebin

[eluser]keld[/eluser]
Yes I use firebug, firephp and all
When I echo out the vars everything looks fine, even the token value is correct but it doesn't run the POST, it goes straight to the 'error' part and displays "Error parsing data. Try again later." error message.
As soon as I turn off csrf, everything works fine again.
Does it matter if I'm on localhost? it should I guess.