• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
CSRF giving problem with ajax

#1
Hello,

I build an application using CI3 and ajax to submit the forms, my CSRF is enabled and regenerating in each post, i use the json response to renew the CSRF values in the csrf inputs of the all forms in the page, all works fine, but some time i giving the blessed error "An error was encoutered. Your request is not allowed" right in the first submit (in this time the csrf input is write right in the html), well the funny is, after the time that the csrf token expire (for what i see) all turns work again without the csrf error, but the most strange is that not even reloading the page, cleaning all the browser and session data (using DB to store the session) it works, just sit down and say: i not will work now, wait the csrf token expire!

Disabling the csrf all turns to work (as expected) Dodgy.

Well I tried some solutions but nothing works, someone please light me!

Very grateful!
Reply

#2
Hi,

I got the same problem with ajax POST method,
Solved by changing the POST method to GET method


Thanks Wink
Reply

#3
I have been using CSRF and Ajax without any issues with CI3.

If you are submitting your form with javascript, make sure you are writing the csrf hash into your js before posting anything. I do this by passing the hash in a page variable that I write as a var in my js. Then I do not have to worry about updating the form fields. However I suppose it depends how you are collecting your form fields.

Have you tried making the expire value higher, so that it does not change so frequently. Also, does the CSRF work on a normal form submit. Because if so it sounds like a problem in the js.

If you post some code I will have a look and see if I can spot anything.

Good luck

Paul.
Reply

#4
I use CSFR protection on my site which is massively Ajaxified. I use a jquery plugin (https://github.com/carhartl/jquery-cookie) that makes handling cookies simple:
<script>
var csrf_token = $.cookie('csrf_token');
</script>

Then whenever I'm POSTing data with Ajax, I just need to include the csrf_token in the data object that's sent to the CI server.

Works really well.
Reply

#5
Well, first thanks all for the suggestions!

I found the problem and solution too, my problem was that i had the website accessed from the www and without the www, so my base_url was set with the www and when the users access without the www i give the related problem, so the solution was simple I just redirect all the user to the www url e voila, the CSRF is working better than ever.

Best regards for everyone!
Reply

#6
(05-06-2015, 08:20 AM)matbeard Wrote: I use CSFR protection on my site which is massively Ajaxified. I use a jquery plugin (https://github.com/carhartl/jquery-cookie) that makes handling cookies simple:
<script>
var csrf_token = $.cookie('csrf_token');
</script>

Then whenever I'm POSTing data with Ajax, I just need to include the csrf_token in the data object that's sent to the CI server.

Works really well.

I do the same. massive AJAX usage on CI3, with token refreshing on every request.

So i added this to my footer:

Code:
    $(document).ready(function () {
        $('form').submit(function () {
        var csrf_cookie_val = $.cookie(csrf_cookie_name_goes_here);
        $(this).find('input[type="hidden"]')
            .filter('[name="' + csrf_var_name_goes_here + '"]')
            .val(csrf_cookie_val);
        });
    });
Reply

#7
when you send custom fields by ajax, then CSRF token is not send in request data so you should post the CSRF token to your data option in AJAX request data..

PHP Code:
$.post(url, {'<?php echo $this->security->get_csrf_token_name(); ?>':'<?php echo $this->security->get_csrf_hash(); ?>'other_fields"bla"}, function(data){
 
  //code here
}) 

when you posting form data by ajax, then CSRF library automatic append hidden token element in form, so form works well Shy
Passionate PHP Programmer & Codeigniter Developer :- Always happy to help you!
Reply

#8
Hello, we got the same issue with the Ajax Post Method. Hence we changed the Post Method.
No SEO spam, per forum policy
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.