Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
shared data for javascript. CSRF tokens problem...
  • vLightvLight
    Hello, i'd like to use some app related data with front-end...namely with javascript. Best example for that would be i18n for front-end (javascript) templates.

    my first thought was to create a PHP file within a asset/js file .. but then i realised, that autoloader won't work and each time i call, for instance, a \Config::get('language', 'en'), i'll get an error about missing class.... because autoloader and other stuff doesn't work that way.....

    so my second thought was to create a 'i18n' controller.  Next i added a <script type="text/javascript" src="/i18n/{lang-code}" ></script> tag to my template...and even it is kinda dirty and ugly solution it does work.  But then i realized, that all my CSRF-tokens within my forms - were outdated. After spending couple of hours with netbeans and xdebug i was able to figure out, that a request to my i18n controller caused a regeneration and setting a new csrf token to cookie. 

    So the next dirty "hotfix" was a JS-function which after page-load takes all forms with method="POST" and calls Fuel's fuel_set_csrf_token() for each form found

    that solves my problem, but it looks and feels so wrong

    Any ideas/suggestion how to do something right way ?

    My goal is to use some data from app-config (and not only) and share some translation-lines with JS-code.
  • philipptempelphilipptempel
    Hey vLight, here's an idea that you might want to look into:

    Create files for every language. In this example we are looking at lang "en". Create a fe.g., assets/lang/en.js that holds variables for all necessary localized messages and replace everything in your other js files to use these variables instead of actual messages. This file can then be included in your template(s)' <head> for the selected language.

    This could be automated and put into a task as well, so that these lines will automatically be generated for every language and module and package, and so on and so forth. Plus, it will also increase your app's rendering speed because it only needs one more file to be included in the html and one more file to be downloaded by the client instead of a bunch of asynchronous AJAX-requests. And will not ruin your CSRF-tokens ;)
  • vLightvLight
    Hello philipptempel,
    thanx for quick replay. I'll try it out. 

    Even though that would solve my problem, it would also cause additional conditions for loading apropriate lang.js file.

    My wish was to include only one script-tag with same src="" and behind the scence fuel would decide wich contents should be loaded and turned into JS. In case with i18n that would be not only the tranlsation-lines but also some localization-formatting rules (like how to present dates, currency. etc) and as well as some app-config, like encoding, appname and other stuff from my own php-config-files which i use in my application. 

    Futhermore, all my translation are saved in DB and i have different "groups" like general, UI-elements and then another group for each controller
  • vLightvLight
    Is there any way to disable 'CSRF-token' refreshing for particular controller?
  • HarroHarro
    You can update the config value controlling this behaviour before your controller method generates the View?
  • vLightvLight
    @Harro..ahm.. I do not understand the question. what config value ? 
  • HarroHarro
    A CSRF token gets reset if:
    - it is used (i.e. after submitting a form and doing a token validation)
    - it is expired

    The first one is hard-coded behavior, so you need to overload the Security classes check_token() method if you want to change that.

    The second is controlled by the "csrf_expiration" config key in your app config file. By default it is set to zero, meaning "always generate a new token".
  • vLightvLight
    The second is controlled by the "csrf_expiration" config key in your app config file. By default it is set to zero, meaning "always generate a new token".

    yes that is the case.
  • HarroHarro
    So, if you don't want that, you can use

    \Config::set('security.csrf_expiration', 3600); // set the expiration to one hour

    in your controller, so that a new one isn't generated.

    Note that you have to do this before you call Security::check_token() !
  • vLightvLight
    Note that you have to do this before you call Security::check_token() !


    So in my case for i18n_controller that would be the before() method, right ?!

    P.S. what would be your suggestion to this topic.. I mean about "how to share" data and logic between front-end and back-end ?
  • HarroHarro
    Accepted Answer
    I don't know, it depends on where you check the token.

    If you have auto checking active (by setting security.csrf_autoload to true), there is no option to change the setting, as this is done very early in loading the framework, long before a controller is dispatched.

    If you have set this to false, you need to call check_token() somewhere manually, usually it's done in the before() method of a base controller. So you have to make sure your change is done before this.
  • vLightvLight
    yes, security.csrf_autoload is set to true

    Ok, so i set it to false and added \Security::check_token() to my base controllers. Works fine! Thank you
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion