• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Ajax request and regenerate csrf

#1
hi , sorry for english , i must get some value from a db to populate a select .

 this is my js code :


Code:
<script>

$(document).ready(function() {
 $("#regione_id").change(function(){
   
   $("#comune_id").html('<option value="" selected="selected">-- seleziona --</option>');
   
   var regione_id = $("#regione_id").val();
   var csrfName = '<?php echo $this->security->get_csrf_token_name(); ?>';
   var csrfHash = '<?php echo $this->security->get_csrf_hash(); ?>';

   console.log(regione_id);
   $.ajax({
     type: "POST",
     url: "<?php echo site_url(); ?>/user/get_province",
     data: {
        csrfName:csrfHash,
        regione:regione_id
     },  
     
     dataType: "html",
     success: function(msg)
     {  
 
            
       $("#province_id").html(msg);
     },
     error: function()
     {
       alert("Chiamata fallita, si prega di riprovare...");
     }
   });
 });

this is the controller :

Code:
function get_province(){
            
            $data = array('data'=> 'data to send back to browser');
            $csrf =  $this->security->get_csrf_hash();
            $this->output
                  ->set_content_type('application/json')
                  ->set_output(json_encode(array('data' => $data, 'csrf' => $csrf)));
         
        return  $this->user_model->get_province();
       
     }

If i have only one call it work otherwise i have error 403 .

I can solve it by set $config['csrf_regenerate'] to  FALSE but is it secure ?
Reply

#2
If you don't need to support concurrent requests pass the new CSRF token back from CI and into your success callback and set it to a variable in JavaScript. Pass the value of your JS variable on each request.

If you do require concurrent requests set regenerate to false. Another option is to use a queue to ensure only a single request fires at any given time.
Reply

#3
(07-24-2017, 10:19 AM)spjonez Wrote: If you don't need to support concurrent requests pass the new CSRF token back from CI and into your success callback and set it to a variable in JavaScript. Pass the value of your JS variable on each request.

If you do require concurrent requests set regenerate to false. Another option is to use a queue to ensure only a single request fires at any given time.

This is a registration form , i must populate 3 select , the first populate the second and the second the tird . can i set regenerate to false ? But if i set false is false for every part of site?
Is it secure?
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.