• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Generate CSRF token during Exceptions handling

#1
My website heavily uses Ajax POST requests. To make use of the built-in CI CSRF protection, I include the current CSRF token in the request parameters and return a new token in every (successful) Ajax response. Works fine, all good.

However I have difficulties returning the new CSRF token in error-cases, i.e. 404 file not found or 500 server error. As I had extended the CI core Exceptions class to overload show_error() already (to return an error message in JSON style in case the request is an Ajax request), my idea was to include a new CSRF token in this response as well. 

Problem: the Security class to generate the new CSRF token ($this->security->get_csrf_hash();) has not been instantiated yet :-( Also even the Controller may not be available yet, so that "$CI =& get_instance();" errors out as well.
Obviously I also don't want to create a completely new security instance (as this would generate a new CSRF token incompatible to the original instance), but I need to access my existing session's security instance. How can I achieve that?

P.S.: I know that I can switch off CSRF token regeneration, but this only works around the symptom and comes with lower security.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.