Login

kadirilkimen · 07-23-2024, 10:57 AM

Hello. I have a problem with concurrent Ajax requests.

As long as I perform one ajax at a time, there is no problem.
Sometimes, one ajax call starts before the previous one finalizes. The first ajax call replaces the csrf hash in the server but the second one reaches the server with the old csrf hash. Therefore it throws a 403 error.
My app requires concurrent ajax calls time to time. So, I can not avoid it.

My CSRF settings are;
App\Config\Security.php

PHP Code:
public string $csrfProtection = 'session';
public bool $tokenRandomize = false;
public bool $regenerate = false;
public bool $redirect = false;
public string $samesite = 'Lax'; 

So, randomize and regenerate are false. But it doesn't change anything. csrf hash changes everytime. So, in case of a concurrent ajax call or if one ajax call fails for some reason, the browser can't get the correct csrf hash and therefore it blocks the ajax calls forever.

CI4 version is : 4.4.6

Am I missing something?

**ozornick** · 07-23-2024, 11:00 AM

Ignore many URLs with ajax in Filters, or disable regenerate token. No?
https://codeigniter4.github.io/userguide...generation

Simple CI 4 project for beginners codeigniter-expenses ( topic )

kadirilkimen · 07-23-2024, 11:04 AM

(07-23-2024, 11:00 AM)ozornick Wrote: Ignore many URLs with ajax in Filters, or disable regenerate token. No?
https://codeigniter4.github.io/userguide...generation

Sorry, I posted it by mistake before sharing enough details. Edited it now.
Disabling regeneration or tokenRrandomize doesn't change anything. It still updates the csrf hash for every call.

If you mean ignoring csrf for ajax calls in filters, I don't want that. Even if it is the same csrf, at least having one during every session is at least one step security I believe.

***kenjis*** · 07-23-2024, 05:19 PM

Can you show the result of the following command?

Code:
$ php spark config:check Security

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

kadirilkimen · 07-23-2024, 07:01 PM

(07-23-2024, 05:19 PM)kenjis Wrote: Can you show the result of the following command?

Code:
$ php spark config:check Security

It is my dev server, an XAMPP server on windows 10.

Here is the result :

Code:
C:\server>php spark config:check Security

PHP Warning:  Module "openssl" is already loaded in Unknown on line 0

Warning: Module "openssl" is already loaded in Unknown on line 0

CodeIgniter v4.4.6 Command Line Tool - Server Time: 2024-07-24 01:59:38 UTC+00:00

Command "config:check" not found.

***kenjis*** · 07-23-2024, 07:06 PM

Upgrade to the latest v4.5.3 if you can.

At least you should upgrade to v4.4.7, because there is a known security issue.
See https://github.com/codeigniter4/CodeIgni...-mqmm-gxj6

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

kadirilkimen · 07-24-2024, 01:10 AM

(07-23-2024, 07:06 PM)kenjis Wrote: Upgrade to the latest v4.5.3 if you can.

At least you should upgrade to v4.4.7, because there is a known security issue.
See https://github.com/codeigniter4/CodeIgni...-mqmm-gxj6

I found the issue.
The env file had settings for csrf. So the tokenRandomize and regenerate were true in the env file. I guess it overrides the config.

Although I solved it, I will still do the upgrade to 4.5.3
Thanks

***kenjis*** · 07-24-2024, 02:09 AM

(07-24-2024, 01:10 AM)kadirilkimen Wrote: I found the issue.
The env file had settings for csrf. So the tokenRandomize and regenerate were true in the env file. I guess it overrides the config.

Yes, environment variables and the dot env file overrides the config values.

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper