phpajaxcodeigniter-3
CSRF Token Regeneration Issue in CodeIgniter AJAX Form Submissions
I'm working on a CodeIgniter application where I'm using CSRF protection with AJAX form submissions. I have $config['csrf_regenerate'] = TRUE; enabled in my configuration, but I'm encountering a 403 error on repeated form submissions.
- I'm fetching a new CSRF token on every form submission using security->get_csrf_hash(); ?> in my JavaScript code.
- I'm sending the token name and hash along with the form data in the AJAX request.
- I'm assuming the tokens are being regenerated on the server-side with $config['csrf_regenerate'] = TRUE; in my config.php.
Problem:
- I'm still getting a 403 error when submitting the form multiple times. I suspect there might be a mismatch between the expected and received token.
I'm looking for guidance on how to best handle CSRF protection and token regeneration in my scenario.
Form
<form id="add_category_form" method="post">
<h2>Add a Category</h2>
<ul>
<li>
<input type="text" name="category_name" required>
<label>Category Name</label>
</li>
<li>
<textarea name="description" required></textarea>
<label>Description</label>
</li>
<!-- FIXME: center the content of this last li tag -->
<!-- <li>
<label>Upload Images (5 Max)</label>
<input type="file" name="image" accept="image/*">
</li>
</ul> -->
<button type="button" data-dismiss="modal" aria-label="Close">Cancel</button>
<button type="submit">Save</button>
</form>
Jquery
<script>
$(document).ready(function() {
$("#add_category_form").on("submit", function(e) {
e.preventDefault();
let csrfTokenName = '<?= $this->security->get_csrf_token_name(); ?>';
let csrfHash = '<?= $this->security->get_csrf_hash(); ?>'; // Assuming you have these values in your view
let form_data = $(this).serialize() + "&" + csrfTokenName + "=" + csrfHash;
$.post("<?= base_url('CategoriesController/process_add_category'); ?>", form_data, function(response) {
console.log(response);
})
.fail(function(jqXHR, textStatus, errorThrown) {
console.error("AJAX Error:", textStatus, errorThrown);
});
return false;
});
});
</script>
Controller method
public function process_add_category() {
$category_name = $this->input->post("category_name");
echo $category_name;
}
Output
Solution
This problem is now solved. I resolve this by setting the newly returned CSRF token from the server to the form's CSRF token so that everytime I submit a form, my form's token and server's token will always same and avoid CSRF token mismatch.
Form
<form id="add_category_form" action="<?= base_url("CategoriesController/process_add_category") ?>" method="post">
<input type="hidden" name="<?= $this->security->get_csrf_token_name() ?>" value="<?= $this->security->get_csrf_hash() ?>" />
<h2>Add a Category</h2>
<ul>
<li>
<input type="text" name="category_name" required>
<label>Category Name</label>
</li>
<li>
<textarea name="description" required></textarea>
<label>Description</label>
</li>
<label>Upload Images (5 Max)</label>
<!-- <ul>
<li><button type="button" class="upload_image"></button></li>
</ul> -->
<input type="file" name="image" accept="image/*">
</ul>
<!-- FIXME: center the content of this last li tag -->
<button type="button" data-dismiss="modal" aria-label="Close">Cancel</button>
<button type="submit">Save</button>
</form>
JavaScript
$(document).ready(function() {
$("#add_category_form").submit(function(e) {
e.preventDefault();
let url = $(this).attr("action");
let formData = $(this).serialize();
console.log(formData);
$.post(url, formData, function(response) {
console.log(response);
/* Set the returned newly created hash and name to the form's token name and value*/
csrfName = response.csrfName;
$("input[name='<?= $this->security->get_csrf_token_name() ?>']").val(response.newCsrfToken);
}, "json");
return false;
});
});
Controller
public function process_add_category()
{
$response = array(
"message" => "Added category successfully!",
"csrfName" => $this->security->get_csrf_token_name(),
"newCsrfToken" => $this->security->get_csrf_hash()
);
echo json_encode($response);
}
- Modify string from one column before inserting into another
- Check if a Category contains any products that are on sale in WooCommerce?
- Symfony / Doctrine - Display products from database by category children and parent
- Innacurate query with LIKE statement
- Drupal 6: replace jquery version on single page
- Laravel - CNAME + Subdomain Routing
- Sonata admin PRE_SUBMIT form event makes admin twig variable null
- WooCommerce custom Loop - Attribute filters not working
- Add class whenever a WordPress category is displayed
- Import an Excel file using AJAX and Laravel
- Child function which calls parent abstract function?
- Laravel Middleware error: Argument #1 ($content) must be of type ?string, Illuminate\Routing\Redirector given
- Update association with doctrine and Symfony 2.7
- Not displaying the .success element after submitting the form
- PHP and SQL Shopping Cart is Not Adding Products to Shopping Cart
- Remove non-utf8 characters from string
- Laravel 5 error SQLSTATE[HY000] [1045] Access denied for user 'homestead'@'localhost' (using password: YES)
- How can I get a database running on Symfony
- Laravel: Auth::user()->id trying to get a property of a non-object
- How to create custom helper functions in Laravel
- How to execute some code BEFORE logout in WordPress
- multiple image upload issue while editing images in codeigniter php
- Symfony 7.0 AssetMapper: JS Files Only Load on Initial Page Load or After F5 Refresh
- Twilio TaskRouter: Need Help in Conference Call
- Wordpress - No value for custom post type column
- How to add/update custom cart item data in the cart page
- Laravel Filament library magic
- curl error 28 for composer update/install laravel
- Xpath reverse searching
- PHP Scrape nested pages