jquery $.post and token validation issue
lafaty80 opened this issue · 11 comments
Hi,
If I try this methos, I got token issue. Simple php->php page change is working.
This is my example code.
In index.php:
use csrfhandler\csrf as csrf;
$_token = csrf::token();
<script>
var token = '<?php echo $_token; ?>';
var chk = new Object();
chk._token = token;
$.post("_checkProduct.php", chk, function(chkProduct){
alert(chkProduct.found);
}, "json");
</script>
In _checkProduct.php:
use csrfhandler\csrf as csrf;
$ret = array();
if (csrf::post()) {
$ret["found"] = "token ok";
} else {
$ret["found"] = "token issue!";
}
echo json_encode($ret);
If I load the index.php I got the "token issue!" alert box. Id don't know why, if I send back the token into alert() box, the 2 token is same.
Thx
Hello, i would like to suggest way that i am using:
- create hidden field in form that generates csfr token
- fetch it via jquery val() and then post it to php file
- in php file you can try move csrf::post() into variable and then check true/false
Hello, i would like to suggest way that i am using:
- create hidden field in form that generates csfr token
- fetch it via jquery val() and then post it to php file
- in php file you can try move csrf::post() into variable and then check true/false
Hello, thanks. In the real code I user the hidden field of course, but in this case it is not important. I tried your 2nd and 3rd option but not works. Same issue
Ok then try this then... i could't achive POST method to work so i have done this
public static function postvar($tokenkey) { return self::authToken(array( "method" => "POST", "token" => (isset($tokenkey)) ? $tokenkey : null )); }
This version is working for me :)
You are mixing PHP with HTML...
use csrfhandler\csrf as csrf;
$_token = csrf::token();
<script>
var token = '<?php echo $_token; ?>';
var chk = new Object();
chk._token = token;
$.post("_checkProduct.php", chk, function(chkProduct){
alert(chkProduct.found);
}, "json");
</script>
It should be something like,
<?php
use csrfhandler\csrf as csrf;
$_token = csrf::token();
?>
<script>
var token = '<?php echo $_token; ?>';
var chk = new Object();
chk._token = token;
$.post("_checkProduct.php", chk, function(chkProduct){
alert(chkProduct.found);
}, "json");
</script>
use csrfhandler\csrf as csrf; $_token = csrf::token(); <script> var token = '<?php echo $_token; ?>'; var chk = new Object(); chk._token = token; $.post("_checkProduct.php", chk, function(chkProduct){ alert(chkProduct.found); }, "json"); </script>It should be something like,
<?php use csrfhandler\csrf as csrf; $_token = csrf::token(); ?> <script> var token = '<?php echo $_token; ?>'; var chk = new Object(); chk._token = token; $.post("_checkProduct.php", chk, function(chkProduct){ alert(chkProduct.found); }, "json"); </script>
yes, sorry, in the code I user "" this is mistype here...
Problem Solved?
Problem Solved?
No, in the real code i user the php open-close method, i only mistype here. Tried few things, interesting. If in the index.php I created a new token, and jquery i call a simple .post with data and i put it the token value into data, it is working. When I create in jquery a function and into this function move the .post and first time called this function it is works but if call the function twice, it is not working. So the first jquery .post call works every time, but after this no.
So i created a simple test enviroment with 3 files. Test it please:
init.php
<?php
require_once "./csrf/csrf.php";
?>
index.php
<?php
require_once "./init.php";
use csrfhandler\csrf as csrf;
$_token = csrf::token();
?>
<html>
<head>
<script src="./jquery/jquery-2.2.4.js"></script>
</head>
<script>
$(document).ready(function(){
$("#item").val("");
$("#item").focus();
function test(){
var p = new Object();
p._token = $("#_token").val();
$.post("test.php",p, function(data){
alert('from-test.php-token:' + data);
});
}
//test();
$("#bTest").click(function(){
var param = new Object();
param.item = $("#item").val();
param._token = $("#_token").val();
alert(param._token);
test();
});
});
</script>
<body>
<form name="test" method="post">
<input type="hidden" name="_token" id="_token" value="<?php echo $_token; ?>">
<input type="text" name="item" id="item" value="">
<input type="button" name="bTest" id="bTest" value="test">
<br>
<p>Token: <?php echo $_token; ?>
</form>
</body>
</html>
test.php
<?php
require_once "./init.php";
use csrfhandler\csrf as csrf;
if (csrf::post()) {
echo "token ok! ".$_POST["_token"];
} else {
echo "token not ok! ".$_POST["_token"];
}
?>
If you use this, it's working well frist time, but after 2nd "test" clicking not working. When you remove slashes from test(); in index.php, then after first testing will come the issue (of course at this method the app call twice the function in script.
I got the issue, CSRF Tokens will be expire after the usage. In your case, You are generating the Token first time, Then triggering Ajax, It's working fine. But after the first execution, your token will be expired. So you need to get new token before try second time.
I got the issue,
CSRF Tokenswill be expire after the usage. In your case, You are generating the Token first time, Then triggering Ajax, It's working fine. But after the first execution, your token will be expired. So you need to get new token before try second time.
Thanks your answer (too fast closed topic :) ), but please show me in the example code where need I generate a new token to work it well. I tried some method and option, but it's not simple I think.
It depends on how you implementing the code.
- You can return the token from the
URLyou called. - You can call another end-point to generate new token once you called a function.
But current version is good for the form submission only. I am working on new implementation to provide support for XML HTTP requests through HTTP Headers. Sorry for the inconvenience, I will release next major version with native AJAX support soon.