Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter General Help CSRF Token with ajax
CSRF Token with ajax
  • Offline sebastianvirlan
    Junior Member
  • **
  • Posts: 32
    Threads: 11
    Joined: May 2015
    Reputation: 0
#1
05-20-2015, 03:15 AM
(This post was last modified: 05-20-2015, 03:39 AM by sebastianvirlan.)

Hi, I wanna make a user edit page, a page that use ajax to save settings.
Also on that page I would like to use csrf protection.
So .. on my form I use: <?php echo form_hidden($csrf); ?> to generate the code:

Code:
<input type="hidden" name="nDR0S3dw" value="xVcuF6swebLtUEJySNW3" /> //for example.

When I press save changes first time works great ... but second time will fail because the token generates every refresh and if I will not refresh the page with the form I will have same token on the hidden input.
The function that verify the token is on the picture attached and is the one from ion auth library.


I found a resolutin but is still secure? I attached 2 new screenshots.

Attached Files Thumbnail(s)
           
Reply
  • Offline mwhitney
    Posting Freak
  • *****
  • Posts: 1,101
    Threads: 4
    Joined: Nov 2014
    Reputation: 95
#2
05-20-2015, 09:35 AM

I can't tell if this is what you are doing, but, generally speaking, I would just pass the CSRF Token name and hash (as retrieved by $this->security->get_csrf_token_name() and $this->security->get_csrf_hash()) in my response, then create the hidden input for the new token/hash pair in the AJAX success method.
Bonfire
Practical CodeIgniter 3
CodeIgniter Testing Guide
Reply
  • Offline sebastianvirlan
    Junior Member
  • **
  • Posts: 32
    Threads: 11
    Joined: May 2015
    Reputation: 0
#3
05-20-2015, 09:51 AM

Well I do the same. In my response I create in csrf div the new input hidden every time.

[Image: attachment.php?aid=217]
Reply




Theme © iAndrew 2016 - Forum software by © MyBB