Csrf token is valid just in first submit using ajax

Question

i want to submit my form using jquery ajax, it is ok but just for first time i click submit, here is my code.

    <!-- input code from the form -->
    <input type="hidden" name="<?php echo $this->security->get_csrf_token_name(); ?>" value="<?php echo $this->security->get_csrf_hash(); ?>" />

    <!-- js code -->
    $.ajax({
        url: ajaxurls.ask,
        type: 'POST',
        data: formData,
        contentType: false,       // The content type used when sending data to the server.
        cache: false,             // To unable request pages to be cached
        processData:false, 
        success: function (html) {
            var data = jQuery.parseJSON(html);
            if(data.status == 'ok') {
                $('.row_question_form').after(data.response.html);
                $('.question_' + data.response.question[0].question_id).hide().fadeIn();
                $('#question_form').val('');
                $('#thumbnails').empty();
                $('#ask_question_messages').empty();
                $('#ask_question_messages').html(data.message);
            }else if(data.status == 'error'){
                $('#ask_question_messages').empty();
                $('#ask_question_messages').html(data.message);
            }
        }
  });

You would probably say to set $config['csrf_regenerate'] = FALSE; but in this case someone could create hundred of records in my database with a application like this:

http://i.imgur.com/qA4pqyr.png

Yes, and when first time the controller is called the csrf get changed and because of this second time is not working. I must refresh the page to work again. — Sebastian Corneliu Vîrlan, Aug 06 '15 at 15:26
http://stackoverflow.com/questions/6581494/codeigniter-csrf-token-problem — shafiq.rst, Aug 06 '15 at 15:30
Yes but how can I use CSRF with ajax? I can use same form multiple times without page reaload (but when I make the ajax request the csrf token changes and next time the form will not work anymore) — Sebastian Corneliu Vîrlan, Aug 06 '15 at 16:11

score 0 · Answer 1 · edited May 23 '17 at 10:29

0

It is correct that you can only submit one POST per CSRF Token, as they are for one-time use.

If your intention is to alter serverside data, POST is the correct method.

But if you are trying to just read data from server, you should use GET method.

This is nicely explained here.

If you want to disable CSRF renewal because it would not be necessary to generate a new token per request you can do it in CI v3.0 by setting the configuration:

$config['csrf_regenerate'] = FALSE;

If you, on the other hand, prefer to get a new token and refresh your form for a new submission, read this howto.

edited May 23 '17 at 10:29

Community

1
1

answered Aug 07 '15 at 02:22

alariva

1,771
1
19
32

I need to isert data to database so POST is the correct method. As you see here : [link](http://i.imgur.com/AKXom4x.png) I have that form to ask questions. But I need to be able to ask 2 or more questions without reload page. I use ajax so show instantly the answer. A solution would be to update the page csrf at ajax success. Example: `$.ajax({ url: ajaxurls.ask, type: 'POST', data: formData,success: function (html) { var data = jQuery.parseJSON(html); $('input[name="csrf_ask_name"]').val(data.new_csrf); }` but is this still secure? – Sebastian Corneliu Vîrlan Aug 07 '15 at 15:43
You are supposed to submit only once per FORM/POST, so you will have to load a new form (thus, a new token) after each submission. You can request a new form with an AJAX GET, which will include a new token. Just add a controller method that provides the form you need to load, and replace the old one with the AJAX requested. Be careful about security concerns with requesting "free tokens" for everybody, as you would be disabling the security feature it is supposed to provide. Maybe somebody else could explain the security concerns about this. – alariva Aug 07 '15 at 15:48
I think if I request a new form or a new input with token is equivalent. – Sebastian Corneliu Vîrlan Aug 07 '15 at 16:25
I think it is. But there are many apps that load forms from AJAX, so I believe there actually is a way to *securely* get a *new form* without risk. – alariva Aug 07 '15 at 16:26
@IonVasile please read new sources as to check if any of those (totally different approaches) fit your needs. Seems the security concern discussion regarding the CSRF token goes even further and it's up to you the decision of renewing or not. – alariva Aug 07 '15 at 23:57
I already reffered in the original question about csrf_regenerate. If I disable someone could create a lot o records in database with a app like postman. – Sebastian Corneliu Vîrlan Aug 08 '15 at 14:20
CSRF protection is not intended to avoid automation or multiple requests, in fact Captcha or antibot challenges are for that. If you want to anyway preserve the CSRF token, have you tried the howto of the second alternative? – alariva Aug 08 '15 at 23:25

Csrf token is valid just in first submit using ajax

1 Answers1