CSRF Token Regeneration Issue in CodeIgniter AJAX Form Submissions
I'm working on a CodeIgniter application where I'm using CSRF protection with AJAX form submissions. I have $config['csrf_regenerate'] = TRUE; enabled in my configuration, but I'm encountering a 403 error on repeated form submissions.
- I'm fetching a new CSRF token on every form submission using security->get_csrf_hash(); ?> in my JavaScript code.
- I'm sending the token name and hash along with the form data in the AJAX request.
- I'm assuming the tokens are being regenerated on the server-side with $config['csrf_regenerate'] = TRUE; in my config.php.
Problem:
- I'm still getting a 403 error when submitting the form multiple times. I suspect there might be a mismatch between the expected and received token.
I'm looking for guidance on how to best handle CSRF protection and token regeneration in my scenario.
Form
<form id="add_category_form" method="post">
<h2>Add a Category</h2>
<ul>
<li>
<input type="text" name="category_name" required>
<label>Category Name</label>
</li>
<li>
<textarea name="description" required></textarea>
<label>Description</label>
</li>
<!-- FIXME: center the content of this last li tag -->
<!-- <li>
<label>Upload Images (5 Max)</label>
<input type="file" name="image" accept="image/*">
</li>
</ul> -->
<button type="button" data-dismiss="modal" aria-label="Close">Cancel</button>
<button type="submit">Save</button>
</form>
Jquery
<script>
$(document).ready(function() {
$("#add_category_form").on("submit", function(e) {
e.preventDefault();
let csrfTokenName = '<?= $this->security->get_csrf_token_name(); ?>';
let csrfHash = '<?= $this->security->get_csrf_hash(); ?>'; // Assuming you have these values in your view
let form_data = $(this).serialize() + "&" + csrfTokenName + "=" + csrfHash;
$.post("<?= base_url('CategoriesController/process_add_category'); ?>", form_data, function(response) {
console.log(response);
})
.fail(function(jqXHR, textStatus, errorThrown) {
console.error("AJAX Error:", textStatus, errorThrown);
});
return false;
});
});
</script>
Controller method
public function process_add_category() {
$category_name = $this->input->post("category_name");
echo $category_name;
}
Output
Solution
This problem is now solved. I resolve this by setting the newly returned CSRF token from the server to the form's CSRF token so that everytime I submit a form, my form's token and server's token will always same and avoid CSRF token mismatch.
Form
<form id="add_category_form" action="<?= base_url("CategoriesController/process_add_category") ?>" method="post">
<input type="hidden" name="<?= $this->security->get_csrf_token_name() ?>" value="<?= $this->security->get_csrf_hash() ?>" />
<h2>Add a Category</h2>
<ul>
<li>
<input type="text" name="category_name" required>
<label>Category Name</label>
</li>
<li>
<textarea name="description" required></textarea>
<label>Description</label>
</li>
<label>Upload Images (5 Max)</label>
<!-- <ul>
<li><button type="button" class="upload_image"></button></li>
</ul> -->
<input type="file" name="image" accept="image/*">
</ul>
<!-- FIXME: center the content of this last li tag -->
<button type="button" data-dismiss="modal" aria-label="Close">Cancel</button>
<button type="submit">Save</button>
</form>
JavaScript
$(document).ready(function() {
$("#add_category_form").submit(function(e) {
e.preventDefault();
let url = $(this).attr("action");
let formData = $(this).serialize();
console.log(formData);
$.post(url, formData, function(response) {
console.log(response);
/* Set the returned newly created hash and name to the form's token name and value*/
csrfName = response.csrfName;
$("input[name='<?= $this->security->get_csrf_token_name() ?>']").val(response.newCsrfToken);
}, "json");
return false;
});
});
Controller
public function process_add_category()
{
$response = array(
"message" => "Added category successfully!",
"csrfName" => $this->security->get_csrf_token_name(),
"newCsrfToken" => $this->security->get_csrf_hash()
);
echo json_encode($response);
}
- How/when mysql compiles stored procedures?
- Search a 2d array by one column value and return another value from the qualifying row
- Search a multidimensional array by one column value and return another value from the qualifying row
- Get element value from a 2d array row which qualifies because of another column value
- Can I use array_search() to find a whole-row match in a 2d array?
- How to secure my login page
- Symfony 2: How to get route defaults by route name?
- php - find if an array contains an element
- Doctrine entity object to array
- Get URL to a Sulu page by content id
- Determine if an associative array of strings or arrays is equal to another array with the same structure
- PHP How to determine the first and last iteration in a foreach loop?
- Disable Undefined Property error in PHP Devsense extension on VSCode
- Fill the ACF field who modified the user profile
- How to Integrate 3rd party API in Wordpress
- Coverting a .BAK file into a .SQL for use in XAMPP phpmyadmin
- Add product thumbnails to Woocommerce admin orders list, only if product still exists
- Merge two 2d arrays, group by one column and sum another column within each group
- PHP json_decode multiple arrays or array in array to database
- laravel try/catch doesn't work for a failed query
- Return the first level key when a column value is found in a 2d array
- Find key of parent in array / PHP
- Find parent key of match in a multidimensional array
- Recursively search a multidimensional array for the parent key of a matched key or value
- Find a parent key in a 2d array
- Get first level key in a 2d array of the first row with a specified value in any element
- Removing currency symbol, except on Woocommerce cart and checkout pages
- How to display course list in moodle form?
- Multiple Image Upload PHP form with one input
- How to remove "Shipping" label from Woocommerce Email notifications?