Welcome Guest, Not a member yet? Register   Sign In
Codeignitor 3 CSRF issue with ajax call before form submit
#1

I have a form that uses CI 3 CSRF with the following configuration:
Code:
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf_token_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array();

In that form, I placed an ajax code that runs when I fill the username filed to check for its existance in the database. I'm using this library js-cookie to read the token from a cookie which will get it either I'm using a form or not.

Code:
$.ajax({
   cache: false,
   type: 'POST',
   data: {
       'username': username,
       'csrf_token_name': Cookies.get('csrf_cookie_name')
   },
   url: "/check",
   success: function (response) {
       console.log(response);
   },
   error: function () {
       console.log(error);
   }
});

When I load my form I see that the csrf hidden field has a value like
Code:
<input type="hidden" name="csrf_token_name" value="b9839f6455e7992c6dee529fe066dfc4" />


When I enter a username the ajax call is run and I can see that the token 'csrf_token_name' saved in the cookie is different than the value in the form. If I submit the form I get "An Error Was Encountered. The action you have requested is not allowed."
I guess the tokens are no longer the same so is there any solution to this except turning off the csrf_regenerate ?
Thanks.
Reply
#2

What happens if you set $config['csrf_regenerate'] = FALSE; ?
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#3

(08-14-2017, 04:21 AM)InsiteFX Wrote: What happens if you set $config['csrf_regenerate'] = FALSE; ?

I specified in my question that I want a folution to my issue without turning csrf_regenerate to off otherwize there is no point in using csrf protection. Is the issue a problem in the CI 3 framwork itself?


From my post: " is there any solution to this except turning off the csrf_regenerate"
Reply




Theme © iAndrew 2016 - Forum software by © MyBB