CODEWITHSUNDEEP
phpajaxpostyiicsrf
Tomas
Tomas

Reputation: 2726

Yii CSRF Token cannot be verified

I had in my script a form which was submitted by ajax like this:

jQuery.ajax({
        url:jQuery('form',modal).attr('action'),
        contentType: "application/json; charset=utf-8",
        dataType: 'json',
        type:'post',
        data: {
            email:jQuery('input[name="email"]',modal).val(),
            something:jQuery('input[name="something"]',modal).val(),
            level:jQuery('select[name="level"]',modal).val(),
            YII_CSRF_TOKEN: jQuery('input[name="csrf"]').val()
        },
        success: function(data){
            jQuery('.message',modal).html(data.message).slideDown();
            if (!data.success){
                jQuery('input[name="email"]',modal).addClass('error');
            } else {
                jQuery('input[name="email"]',modal).removeClass('error');
            }
        }
    });

Everything was working great. Then today I was writing new function for deleting items from database. SO I wrote my php function (nothing extra complicated) and added jQuery ajax call to it triggered by clicking on link:

// ajax request
    jQuery.ajax({
        url:jQuery(this).attr('href'),
        contentType: "application/json; charset=utf-8",
        dataType: "json",
        type:'post',
        data: {
            something:jQuery(this).attr('alt'),
            YII_CSRF_TOKEN:jQuery('input[name="csrf"]').val()
        },
        success: function(data){

        }
    });

Both, the link and the form are in the same view. But after adding the new function for deleting Everything kind of broke down. I cannot make any POST request to server, just having "Error: The CSRF token could not be verified". I cannot see the problem as I am passing the CSRF. The firebug log shows:

YII_CSRF_TOKEN  bf6d9bf62ee96f32e34a74244baca7f2f1bdd569
something   4

I might understand that the new function doesn't work for any reason, but why did the other function broke down as well, I cannot get.

Upvotes: 0

Views: 4666

Answers (1)

Tomas
Tomas

Reputation: 2726

I have figured out what the problem was and thought I would share it with you. Of course it was very trivial.

In the PHP function (action) the flow was going, and everytime it run into problem / not expected result (record doesn't exist etc.) it would return something like:

if (empty($user)){
    echo json_encode(array('success'=>0,'message'=>'User does not exist'));
    return false;
}

I think that some of you see my mistake already. The problem is that once you 

return false;

Yii automatically gives back message "Invalid Request". Therefore, doesn't matter if you get or not everything done well on server side, you have to always return true. So 

if (empty($user)){
    echo json_encode(array('success'=>0,'message'=>'User does not exist'));
    return true;
}

Works as expected.

For the problem with message "Error: The CSRF token could not be verified." I still don't understand what the problem is, but also found solution. I have realized that this message is returned in first instance I do any action with $_POST variable. Therefore what I did at the beginning of the actions is:

$post = $_POST;

Probably not the perfect solution, but it works.

Upvotes: 1

Related Questions