AJAX + CSRF Protection in Codeigniter ?

Codeigniter 2.0 adds an important security feature to prevent CSRF (Cross Site Request Forgery) attacks. Even better, the feature is automatically added to your forms(if you enable CSRF in Config, and if you use CI form Helper).

You might like this post –
How to Enable CSRF (Cross Site Request Forgery) in CodeIgniter

How CSRF Protection Work in CodeIgniter?

if you visit page after enabling CSRF Protection, the CI form helper adds a hidden input element to the from with randomly generated hash String as a value (input field default name is csrf_test_name, you can change it in config file) and at the same time CI sets a cookie with same hash(the default Cookie name is csrf_cookie_name, as usual, you can change it in config). When the form is submitted by the user that hidden input is compared with the cookie value. If they do not match the request is rejected before it ever reaches your controller method(action).

This way you can protect your website from outside form submissions from the malicious users.

if you are not using CI’s form helper , hidden input field will not generate automatically you have to set it manually as shown below, past this in side your form.

Why my AJAX functions were returning 500 Internal Server Errors With CSRF

Because your CSRF validation is field, in order to fix this problem you have to pass your CSRF hidden input value with in your ajax request.

you can get hash value and pass it with JQuery something like this:

What if your numerous places to add ?

For this i am gonna use $.ajaxSetup . All post data from Ajax functions throughout your application will be merged with the data set by $.ajaxSetup.

Here is the Example :

I hope you like this Post, Please feel free to comment below, your suggestion and problems if you face - we are here to solve your problems.

0 0 vote
Article Rating
Subscribe
Notify of
guest
13 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Joshua Riddle
Joshua Riddle
4 years ago

Ahh… Yes, I too have discovered this solution. However if you need to
make multiple ajax post calls without refreshing the page your token is
no longer valid after the first ajax post request…working on this
solution now!

arjun
4 years ago
Reply to  Joshua Riddle

ok..

James Anderson
James Anderson
4 years ago
Reply to  arjun

please share the solution of multiple ajax post calls without refreshing the page as token has been changed if you succeed

James Anderson
James Anderson
4 years ago
Reply to  Joshua Riddle

please share the solution of multiple ajax post calls without refreshing the page as token has been changed

zulius akbar
zulius akbar
4 years ago

hi, why my input in controller blank ??

arjun
4 years ago
Reply to  zulius akbar

Provide more info..

cofred
cofred
4 years ago

Hi Arjun,
I create Country, State and City drop-down list script. when CSRF trun on, Country and State list work well but city dropdown list not working. if CSRF turn off all dropdown lists working well.
Here is my JS code.

$(function(){
$.ajaxSetup({
data: {
‘security->get_csrf_token_name(); ?>’ : ‘security->get_csrf_hash(); ?>’,
cache: false,
type: “POST”,
}
});

$(‘#country_id’).change(function(){
$(‘#city_id’).html(‘— Select City —‘);
$(‘#state_id’).html(‘— Select Stat —‘);
var id = $(this).val()
$.post(‘/abc/’,{‘country_id’:id},function(response){

$(‘#state_id’).html(response);
});
});

$(‘#state_id’).change(function(){
$(‘#city_id’).html(‘— Select city —‘);
var id = $(this).val()
$.post(‘/abc/’,{‘state_id’:id},function(response){

$(‘#city_id’).html(response);
});
});
});

Md Jahangir Alam
Md Jahangir Alam
4 years ago

Whrn i enable csrf protection in config.php my another javascript/ajax is not working in view page.
plz give me solution.

sumit sharma
sumit sharma
2 years ago

write code in footer section after jquery is called. So ajaxSetup method should be available for every page that include that footer section.

sumit sharma
sumit sharma
2 years ago

Thanks, I was looking for the same.

Epp Core
Epp Core
2 years ago

With $.ajaxSetup you saved my day. Thank you !

Vikram
Vikram
2 years ago

I have add to cart system in codeigniter in ajax but i enable csrf token is true not ajax show error 403 forbidden if csrf token disable its work fine … want to secure add to cart system in csrf enable

DMCA.com Protection Status
13
0
Would love your thoughts, please comment.x
()
x