cookie httponly |
Hi,
I am wondering about this cookie option in the config. PHP Code: $config['cookie_httponly'] = FALSE; If set to true, does it mean you can not read the cookie via javascript? Will it make using CSRF and AJAX together impossible? Can someone please explain what this does? Thanks!
(09-29-2015, 02:45 AM)Narf Wrote:(09-29-2015, 01:31 AM)Martin7483 Wrote: Will it make using CSRF and AJAX together impossible? But if I post a form using AJAX, the CSRF token must be present or the post request will fail due to the missing token.
Yes, but CI has a method to give you the CSRF token, so you don't have to read it from the cookie.
Edit: In fact, the CSRF form field itself is variable; it's not a hard-coded name, so you need CI to give you that as well.
So how would I implement a drag and drop on a list so that the order is changed in the DB?
Must i now place my drag and drop list in a form? EDIT: Never mind I see that CI indeed has got a method to get both name and value. I can use them to set it correctly for use in a AJAX request
(09-29-2015, 04:36 AM)Narf Wrote: In fact, the CSRF form field itself is variable; it's not a hard-coded name, so you need CI to give you that as well. Just did some digging and you are wrong about that. PHP Code: $config['csrf_token_name'] = 'csrf_test_name'; The field name is not variable. You set it in the config and therefore you can manually populate a AJAX data post with the correct values. I do however agree that using javascript to get the value of the token from the cookie is not the best way of doing things. Maybe the CSRF should be updated to use a variable name as the field name of the hidden CSRF field?
Configuration settings are variables ... that's what they do - they vary depending on users' preferences.
|
Welcome Guest, Not a member yet? Register Sign In |