Codeigniter (CSRF) jQuery ajax problem

Question

I’ve got a issue here, i keep getting a error when i try to post something with ajax (POST). I know it is the CSRF that gives me these problems and I’ve been tried back and forth trying to find a solution. However, i hope somebody here can help me out!

This is the error i keep getting (from google chrome inspector),

*Failed to load resource: the server responded with a status of 500 (Internal Server Error) XHR finished loading: "http://localhost/woho/ajax/images".*

PHP (Controller)

class Ajax extends CI_Controller {

    function images() {

        echo 'Hello World';

    }

}

Javascript

var ID = $(".imageWrap:last").attr("id");
var baseurl = "http://localhost/woho/";
var doScroll = 1;
var cct = $.cookie('csrf_cookie_name');

if (location.href == baseurl) {
    $(window).scroll(function(){
        if ($(window).scrollTop() > $('body').height() / 2) {
            if(doScroll == 1) {                   
                $.post(baseurl + 'ajax/images',{'id' : ID, 'csrf_token_name': cct}, function(data) {
                    alert(data);
                    $("#wrapper_content").append(data);
                    ID++;
                });
            }
        }
    });
}

my CCT var from javascript gives me the correct token or "hash" but when the javascript sends the ajax request codeigniter returns an error like,

An Error Was Encountered The action you have requested is not allowed.

How can i fix this? do i need to validate the CSRF Token or something in my controller?

I'm using Codeigniter 2.0.3

Answer 1

I was facing same problem but now I have fixed this problem.

First of all, I have created csrf_token in header.php for every pages like below code

$csrf = array(
                'name' => $this->security->get_csrf_token_name(),
                'hash' => $this->security->get_csrf_hash()
        );

<script type="text/javascript">
    var cct = "<?php echo $csrf ['hash']; ?>";
  </script>

After that, when we are sending particular value through ajax then we will have to sent csrf token like below code

$.ajax({
    url:"<?php echo APPPATHS.'staff_leave/leaveapproval/getAppliedLeaveDetails'; ?>",
    data:{id:id,status:status,'<?php echo $this->security->get_csrf_token_name(); ?>': cct},
    method:"post",
    dataType:"json",
    success:function(response)
    {
        alert('success');
    }
});

I hope this code will help you because this is working for me.

Answer 2

Just follow this code:

$.ajax({
    type : 'post',
    url  : 'Your URL',
    data : {
        id: id,
        '<?php echo $this->security->get_csrf_token_name(); ?>' : '<?php echo $this->security->get_csrf_hash(); ?>'
    },
    datatype: 'json',
    success : function(data){}
});

Answer 3

it may be late but i found this perfect solution sort of hack but should work

if (isset($_SERVER["REQUEST_URI"])) 
{
    if(stripos($_SERVER["REQUEST_URI"],'/mypage') === FALSE)
    {
        $config['csrf_protection'] = TRUE;
    }
    else
    {
        $config['csrf_protection'] = FALSE;
    } 
} 
else 
{
    $config['csrf_protection'] = TRUE;
} 

// in config.php file ci 2.*

found solution from this post

Answer 4

If you use the form_open("/some",'id="some_form"') and form_close() , CI create a hidden input that keep the csrf_token_name and it value.

so , in your AJAX request , you can get the form by serialize it and send form !

For example:

<script>
var _form = $("#some_form").serializeArray();
$.ajax({
    data: _form,
    type: 'post',
    url: '<?php echo base_url();?>some',
    async: true,
    success: function(output){
        alert(output);
    },
    complete: function(output){},
    fail: function(err){}
});
</script>

The CSRF always was my problem and by this method, it solved!!

Answer 5

check value of your $config['csrf_token_name'] in /application/config/config.php as default is setted as csrf_test_name not csrf_token_name.

This decision if you not want to use PHP code in Javascript.

$.ajax({
    url: 'some_url',
    type: 'POST',
    data: {csrf_test_name: $.cookie('csrf_cookie_name')}
});

This code works fine.

Answer 6

Try (javascript):

var ID = $(".imageWrap:last").attr("id");
var baseurl = "http://localhost/woho/";
var doScroll = 1;
var cct = $.cookie("<?php echo $this->config->item("csrf_cookie_name"); ?>");

if (location.href == baseurl) {
    $(window).scroll(function(){
        if ($(window).scrollTop() > $('body').height() / 2) {
            if(doScroll == 1) {                   
                $.post(baseurl + 'ajax/images',{'id':ID,'<?php echo $this->security->get_csrf_token_name(); ?>': cct}, function(data) {
                    alert(data);
                    $("#wrapper_content").append(data);
                    ID++;
                });
            }
        }
    });
}