0

I have enabled Codeigniter's CSRF protection on my site that uses AJAX to submit a user form and handles some other user interaction which require data submission via AJAX. As a result I came up against the "action not allowed" server side error. I quickly worked out that only the data my javascript collected and submitted via AJAX was passed to the server and as a result the CSRF code was not being sent.

The generated token tag looks like:

<input type="hidden" name="csrf_test_name" value="dsflkabsdf888ads888XXXXXX" />

So it seems to me the simplest way to submit the token to the server for verification is using a jQuery selector on csrf_test_name to get the value and then adding this to my post data for the server to verify. As per the code below:

//get CSRF token
var csrf = $('[name="csrf_test_name"]').val();

//build the form data array
var form_data = {
    csrf_test_name: csrf,
     ... ... ...
     ... ... ...
}

//send the form data to the server so it can be stored
$.ajax({
    type: "POST",
    data: form_data,
    url: ...,
    dataType: "html",
    success: function(msg){
         ... ... ...
    }//end success
});//end ajax

I have followed this procedure for every ajax submission that sends data to the server and the server side error is fixed and everything works fine.

To test this I have hard coded in an incorrect CSRF token and the server detects the inconsistency and returns an erro code 500 so on the surface this works.

My question is this, is this a safe way to do this and is there an expected best practice to follow? I have done some google searching on this and it seems all the other methods are more complex and I am wondering if my way creates an attack vector that I can't see/workout.

Improve this question
3
  • I use the same exact method as you and it's usually the recommended method. AFIK this is safe, but I wouldn't mind more views on it! Commented Jul 6, 2012 at 22:13
  • This looks just fine, unless you have some logical flaw in the backend code, which is presumably fairly unlikely. I would make sure you don't return 500 error when they don't match, but I suppose that's a matter of preference. Also remember that even the smallest XSS will in 9 cases out of 10 defeat any csrf protection. Commented Jul 7, 2012 at 13:15
  • Thanks for the feedback. I am using Codeigniter and have all global XSS filter on as well so that should thwart to most attacks from my understanding of the Codeigniter docs Commented Jul 7, 2012 at 14:11

2 Answers 2

Reset to default
2

I like to add it to the Ajax setup. Set it once and have it automatically add it to the post data for all of your requests.

$.ajaxSetup({
    data: {
        csrf_test_name: $("input[name='csrf_test_name']").val()
    }
});
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

an easier method is to pass that csrf to $.ajaxSetup() that way it's included with any $.ajax() request afterward.

var csrf = $('input[name="csrf_test_name"]').val();
var data = {};
data[CSRF] = csrf;

$.ajaxSetup({ 'data': data });

then no need to include data: { csrf_test_name: 'xxx', ... } in requests after setup.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.