Welcome Guest, Not a member yet? Register   Sign In
cookie httponly
#1

(This post was last modified: 09-29-2015, 01:32 AM by Martin7483.)

Hi,

I am wondering about this cookie option in the config.
PHP Code:
$config['cookie_httponly'] = FALSE

If set to true, does it mean you can not read the cookie via javascript?
Will it make using CSRF and AJAX together impossible?

Can someone please explain what this does?


Thanks!
Reply
#2

(09-29-2015, 01:31 AM)Martin7483 Wrote: If set to true, does it mean you can not read the cookie via javascript?

Precisely.

(09-29-2015, 01:31 AM)Martin7483 Wrote: Will it make using CSRF and AJAX together impossible?

No ... you don't need to read the CSRF cookie with JS for that to work.
Reply
#3

(09-29-2015, 02:45 AM)Narf Wrote:
(09-29-2015, 01:31 AM)Martin7483 Wrote: Will it make using CSRF and AJAX together impossible?

No ... you don't need to read the CSRF cookie with JS for that to work.

But if I post a form using AJAX, the CSRF token must be present or the post request will fail due to the missing token.
Reply
#4

(This post was last modified: 09-29-2015, 04:37 AM by Narf.)

Yes, but CI has a method to give you the CSRF token, so you don't have to read it from the cookie.

Edit:

In fact, the CSRF form field itself is variable; it's not a hard-coded name, so you need CI to give you that as well.
Reply
#5

(This post was last modified: 09-29-2015, 04:52 AM by Martin7483.)

So how would I implement a drag and drop on a list so that the order is changed in the DB?
Must i now place my drag and drop list in a form?

EDIT: Never mind Tongue I see that CI indeed has got a method to get both name and value. I can use them to set it correctly for use in a AJAX request
Reply
#6

(09-29-2015, 04:36 AM)Narf Wrote: In fact, the CSRF form field itself is variable; it's not a hard-coded name, so you need CI to give you that as well.

Just did some digging and you are wrong about that.

PHP Code:
$config['csrf_token_name'] = 'csrf_test_name'

The field name is not variable. You set it in the config and therefore you can manually populate a AJAX data post with the correct values.

I do however agree that using javascript to get the value of the token from the cookie is not the best way of doing things.

Maybe the CSRF should be updated to use a variable name as the field name of the hidden CSRF field?
Reply
#7

Configuration settings are variables ... that's what they do - they vary depending on users' preferences.
Reply
#8

(09-29-2015, 05:54 AM)Narf Wrote: Configuration settings are variables ... that's what they do - they vary depending on users' preferences.

That is true. I was thinking in the sence that the field name would also be a hash value...
Reply




Theme © iAndrew 2016 - Forum software by © MyBB