Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
How to generate and send csrf token to controller via ajax post
  • hemorhemor
    I'm trying to make ajax (using jquery) post to some of my controller methods. How can I generate a valid csrf and send it along with the data.

    Note. I'm not submitting a form, I can use twig_fuel_extension's form_open() to automatically generate the csrf input field. I need to send image from summernote's editor to an endpoint on the server so that the image can be uploaded instead of it being represented as base64 which is summernote's default.

    I already have a working code, but when I turn on csrf settings to secure the app, it rejects my ajax posts due to missing csrf.
  • HarroHarro
    The CSRF token is set in a cookie when you generate one.

    See Security::js_fetch_token() for the javascript code needed to fetch the token from the cookie and add it to the posted data. Make sure you use the correct (= configured) variable so it can be checked by your code.

    Only do this when the post data is submitted, as other forms that may be open simultaneously might use the token on submission, causing a new token to be generated.
  • hemorhemor
    I know about js_fetch_token() I just don't know how to pass it. This is what I tried but it didn't work.

    vat token = fuel_csrf_token(); // this works.
    var data = new FormData();
    data.append('image', image); // the image I'm sending that works too. I used Input::file('image') to get it.
    data.append('fuel_csrf_token', token); // this doesn't work even though I use the default fuel_csrf_token as the token name.
  • HarroHarro
    Define "doesn't work"?

    What happens? Or what doesn't happen? Messages? Errors? Something else? How do you do the CSRF token check in your app?
  • hemorhemor
    If I enable these options inside config.php the ajax call return page not found 404 which is the same error fuelphp gave me when I tried submitting a form without csrf token field.

    'csrf_autoload'            => true,
    'csrf_autoload_methods'    => array('post', 'put', 'delete'),
    'csrf_bad_request_on_fail' => true,
    'csrf_auto_token'          => true,


    BUT when I remove those options everything works fine.
  • HarroHarro
    That config would throw a HttpBadRequestException when the validation failed, which you should be able to find back in the application log files.

    You might want to debug Security::check_token(), and see if static::$csrf_token_key contains "fuel_csrf_token", and if the value fetched there is the value you posted. Also check if static::$csrf_token contains that value.

    You need to do that before the code in the method, to make sure nothing alters the data (the call to fetch_token for example will generate a new token).

    You might also want to add an exception handler for that exception, so you can pass a meaningful message back if it happens on a json call.
  • hemorhemor
    Thanks. I'm yet to try it as I'm very busy with other stuffs. I'll let you know when I try it.


    Just a quick question.

    I'm using controller template, the template file gets a bunch of variables passed to it, how can i get the values of those variables from the inner template.

    What I mean is this template.twig calls {{ site.name }} to get the name of the website that was passed to it. How can I access this from all other child template which uses the template.twig?
  • HarroHarro
    I have to say I don't know, I've never used Twig myself.
  • hemorhemor
    Oh! okay what if it was php how would I access it?
  • HarroHarro
    If you are using standard templates, you have to explicitly pass variables on, unless they were set on the View as "global".

    See http://fuelphp.com/forums/discussion/comment/21096#Comment_21096
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion