security - Pass Codeigniter CSRF string to server via AJAX -
i have enabled codeigniter's csrf protection on site uses ajax submit user form , handles other user interaction require data submission via ajax. result came against "action not allowed" server side error. worked out data javascript collected , submitted via ajax passed server , result csrf code not being sent.
the generated token tag looks like:
<input type="hidden" name="csrf_test_name" value="dsflkabsdf888ads888xxxxxx" /> so seems me simplest way submit token server verification using jquery selector on csrf_test_name value , adding post data server verify. per code below:
//get csrf token var csrf = $('[name="csrf_test_name"]').val(); //build form data array var form_data = { csrf_test_name: csrf, ... ... ... ... ... ... } //send form data server can stored $.ajax({ type: "post", data: form_data, url: ..., datatype: "html", success: function(msg){ ... ... ... }//end success });//end ajax i have followed procedure every ajax submission sends data server , server side error fixed , works fine.
to test have hard coded in incorrect csrf token , server detects inconsistency , returns erro code 500 on surface works.
my question this, safe way , there expected best practice follow? have done google searching on , seems other methods more complex , wondering if way creates attack vector can't see/workout.
an easier method pass csrf $.ajaxsetup() way it's included $.ajax() request afterward.
var csrf = $('input[name="csrf_test_name"]').val(); var data = {}; data[csrf] = csrf; $.ajaxsetup({ 'data': data }); then no need include data: { csrf_test_name: 'xxx', ... } in requests after setup.
Comments
Post a Comment