• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
CSRF and Browser Cookie Settings

Tokens are not part of the session. They have their own cookie.

Thanks Skunkbad. I can see the cookie, I modified the code and the values look good. The one issue I am having is that when I submit an AJAX request, it is now returning with the current url as part of the response. I.e. my normal response would be {"status":"X"} but now I receive https://www.mywebsite.com/rate?{"status":"X"}

I don't know what that would be. Looks like you'll need to debug.


In MY_Controller I was previously checking if the tokens matched like if($this->tokens->match == FALSE){}, I changed to if(!$this->tokens->match){} and this removed the URL prefix on my JSON response and the scripts now works again.

(11-19-2017, 03:43 PM)skunkbad Wrote: 1) When you use the form_open function or generate a new token using $this->tokens->token(), the token is automatically added to the tokens cookie. See the "Tokens Cookie Config" section on this page:


By default the name of your POSTed token should be "token", but you can change it to any whatever you want if you find the value in config/authentication.php:

PHP Code:
$config['token_name'] = 'token'

When you POST via a form or ajax, the token needs to be posted right along with the rest of the post data. The tokens library checks to see if the posted token matches one in the cookie. This  is a lot like the way CodeIgniter's CSRF does it, except CodeIgniter only has a single token value. There are other differences between CodeIgniter's CSRF and my tokens library, but for basic usage you will find that they are more or less working the same way.


The new tokens are working OK except for the Community Auth login. I notice the form has a token called "login_token". I could not figure out where to change this so I modified my login form to include the additional hidden field with my token name and the generated value. I see both hidden token fields but I still cannot login. I do not receive any error messages either and there are no errors in the log. Where can I change the Community Auth login form token name to use the CI token name in config?

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  

Users browsing this thread:
1 Guest(s)

  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2018 MyBB Group.