SessionCSRF without form submit

[Karl_T]

For some reasons I am not submitting a form but individual input fields via ajax. I would like to use SessionCSRF to protect from cross domain request.

Is it possible to make SessionCSRF work in this case? And how? Thanks.

[blynx]

Hej,

it is more or less the same as with forms. Add the hidden token inputfield to the page and then add the CSRF token to every ajax field submit - and then check it on the backend side.
I assume if you send the submit via POST, form url encoded with the correct key - value pairs it should just work.

 

[Karl_T]

Thanks. I put <?=$session->CSRF->renderInput();?> somewhere inside template. And then do something like the following inside js.

var data = {
  'firstname': $("#firstname").val(),
  'lastname': $("#lastname").val(),
};			
var CSRF_name = $("._post_token").attr("name");
var CSRF_token = $("._post_token").val();
data[CSRF_name] = CSRF_token;
$.ajax({
  url: "/ajax/",
  data: data,
  method: 'post',
});

then inside ajax.php

if($session->CSRF->hasValidToken()) {
  //do something
}

This works.