Home>

Currently, we are creating a simple Todo application with CodeIgniter3, referring to "Let's make a Todo management application with PHP" of dot installation.
Set$config ['csrf_protectin] = TRUEand$config ['csrf_regenerate'] = TRUEin config.php (Excerpt)

<scritp>
    $(function () {
        // Click the check box to switch Todo completion/incomplete (display/hide strikethrough)
        $('# todos'). on ('click', '.update_todo', function () {
            var id = $(this) .parents ('li'). data ('id');
            $.ajax ({
                type: 'POST',
                url: '<? php echo site_url (' todos/update ');?>',
                data: {
                    '<? php $this->security->get_csrf_token_name ();?>': '<? php $this->security->get_csrf_hash ();?>',
                     id: id
                },
                dataType: 'json'
            })
            .done (function (result) {
                if (result === '1') {
                    $('# todo_' + id) .find ('. todo_title'). addClass ('done');
                } else {
                    $('# todo_' + id) .find (). removeClass ('done');
                }
            });
       });


In addition to the above, add and delete functions have also been implemented.
In addition,form_open ()is used for the input form to add Todo.

If CSRF protection is disabled, all functions will work properly.
However, when CSRF protection is enabled, ajax will only move once the first time after loading the page.

By the way, when$config ['csrf_regenerate']is set to FALSE, such a problem does not occur as when CSRF protection is disabled.

I want to use ajax with$config ['csrf_protectin] = TRUEand$config ['csrf_regenerate'] = TRUECan anyone tell me the solution?

Thank you very much.

Append

Here (referring to a circle), I wrote the following:

<script>
    csrf_token_name = '<? php echo $this->security->get_csrf_token_name ();?>';// add
    csrf_cookie_name = '<? php echo $this->config->item (' csrf_cookie_name ');?>';// add
    $(function () {
        'use strict';
        // add to ----------------------------------------------- ---------
        var object = {};
        object [csrf_token_name] = $.cookie (csrf_cookie_name);
        $.ajaxSetup ({
            data: object
        });
        $(document) .ajaxComplete (function () {
            object [csrf_token_name] = $.cookie (csrf_cookie_name);
            $.ajaxSetup ({
                data: object
            });
        });
        // ------------------------------------------------ -------------
        // update
        $('# todos'). on ('click', '.update_todo', function () {
            var id = $(this) .parents ('li'). data ('id');
            $.ajax ({
                type: 'POST',
                url: '<? php echo site_url (' todos/update ');?>',
                data: {id: id
                },
                dataType: 'json'
            })
            .done (function (result) {
                if (result === '1') {
                    $('# todo_' + id) .find ('. todo_title'). addClass ('done');
                } else {
                    $('# todo_' + id) .find ('. todo_title'). removeClass ('done');
                }
            });
        });
        // create
        $('# new_todo_form'). on ('submit', function () {
            var title = $('# new_todo'). val ();
            $.ajax ({
                type: 'POST',
                url: '<? php echo site_url (' todos/create ');?>',
                data: {
                    title: title
                },
                dataType: 'json'
            })
            .done (function (result) {
                var $li = $('# todo_template'). clone ();
                $li
                    .attr ('id', 'todo_' + result.id)
                    .data ('id', result.id)
                    .find ('. todo_title'). text (title);
                $('# todos'). prepend ($li.fadeIn ());
                $('# new_todo'). val (''). focus ();
            });
        })
        // delete
        $('# todos'). on ('click', '.delete_todo', function () {
            var id = $(this) .parents ('li'). data ('id');
            if (confirm ('are you sure?')) {
                $.ajax ({
                    type: 'POST',
                    url: '<? php echo site_url (' todos/delete ');?>',
                    data: {
                        id: id
                    }
                })
                .done (function () {
                    $('# todo_' + id) .fadeOut (400);
                });
            }
        });
    });
</script>


This way, update and delete ajax works normally even if$config ['csrf_regenerate'] = TRUE.
However, if create is executed, it will be skipped to the error page of "The action you have requested is not allowed." (Todo creation itself seems to be done).

I would appreciate it if you could tell me the cause.
Thank you very much.

Append

The above code forgets to return false at create.
I haven't tried it, but all ajax may work fine by insertingreturn false;after the done () method.

  • Answer # 1

      

    I would like to use ajax with $config ['csrf_protectin] = TRUE and $config ['csrf_regenerate'] = TRUE.

    Why would you like $config ['csrf_regenerate'] = TRUE?


    Appendix

      

    Is it normal to turn off regenerate for applications like this, or is there no reason to enable it?

    For example, the following document says:

      The

    token will either be regenerated on every submission (default) or the lifetime of the CSRF cookie will be kept at the same value. The default token regeneration provides more stringent security, but invalidating other tokens can lead to usability issues (back/forward navigation, multiple tabs/windows, asynchronous actions, etc. ). You can change this behavior by editing the following config parameter:

    This case is an asynchronous action. In other words, this is a scene where $config ['csrf_regenerate'] = TRUE cannot be used.
    Then, if $config ['csrf_regenerate'] = TRUE, the possibility of hitting a CSRF attack will not increase. So, if you try tricky to set $config ['csrf_regenerate'] = TRUE, there is a high possibility that the complicated tricky process will be vulnerable.
    The simpler you write an application, the fewer bugs there are, and vulnerabilities are a type of bug, so if you do complex things, the vulnerability will tend to increase.

  • Answer # 2

    If $config ['csrf_regenerate'] = TRUE, is it necessary to update the token in ajax every time ajax communication is performed?
    However, when I think about timing and order, I feel that it is not a realistic implementation.