Posts: 17
Threads: 7
Joined: Mar 2018
Reputation:
0
09-03-2018, 06:01 AM
Hello!
I have question, your best practice to service ajax request in CI4?
Other namespace in routes? Other Controller? Maybe other solution?
I have application with many modules and many connection by ajax, for dynamic content, for detail information about entity like user/news etc.
Posts: 24
Threads: 1
Joined: Jun 2017
Reputation:
0
09-03-2018, 02:29 PM
(This post was last modified: 09-03-2018, 02:30 PM by Leo.)
Oh dude!JavaScript Cookie v2.2.0
js.cookie will save you a ton of headache with the csrf_protection! I discovered it 2-3 weeks ago, before I tried to avoid ajax or wrote exceptions in the csrf_exclude_uris
$.ajax({
url: base_url + 'community/edit_post',
type: 'POST',
data: {
id: post_id,
csrf_token: Cookies.get('csrf_cookie')
},
dataType: 'json'
}).fail(function (result) {
alert(result.responseText)
});
Wait, what?
Posts: 58
Threads: 10
Joined: May 2017
Reputation:
4
i use a separated controller for each ajax action, so ci only loads the required parts ( if your actions are gonna be more complex ). Mostly my ajax controller 1. collect data, 2. call a view for output formatting and 3. return it to the caller ( be sure to handle all possibilities, use the \CodeIgniter\API\ResponseTrait for returning with correct codes ).
to handle CSP correctly you need decide which request use user specific data to know which can be excluded from CSP check and which need to write session ( user specific ) data . so i exclude every trivial request ( check for news, updates ) and added a csp expiration check to the other - some request with write requirements also have the effect to extend the session validity.
to prevent this, you need call session_write_close() before sending the result back
Posts: 17
Threads: 7
Joined: Mar 2018
Reputation:
0
About CSRF cookie, propably it's secure with flag HTTP Only, and JS cannot display me this cookie?