Jump to content

SessionCSRF without form submit


Karl_T
 Share

Recommended Posts

For some reasons I am not submitting a form but individual input fields via ajax. I would like to use SessionCSRF to protect from cross domain request.

Is it possible to make SessionCSRF work in this case? And how? Thanks.

Link to comment
Share on other sites

Hej,

it is more or less the same as with forms. Add the hidden token inputfield to the page and then add the CSRF token to every ajax field submit - and then check it on the backend side.
I assume if you send the submit via POST, form url encoded with the correct key - value pairs it should just work.

 

Link to comment
Share on other sites

Thanks. I put <?=$session->CSRF->renderInput();?> somewhere inside template. And then do something like the following inside js.

var data = {
  'firstname': $("#firstname").val(),
  'lastname': $("#lastname").val(),
};			
var CSRF_name = $("._post_token").attr("name");
var CSRF_token = $("._post_token").val();
data[CSRF_name] = CSRF_token;
$.ajax({
  url: "/ajax/",
  data: data,
  method: 'post',
});

then inside ajax.php

if($session->CSRF->hasValidToken()) {
  //do something
}

This works.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...