1

When posting a form with a csrf token, $this->input->post("csrf_token") is empty.

I could post a duplicate csrf_token using another field name. But that looks a bit unnecessary. Is there (another) way to get it?

__

All is done using AJAX. So first of all, a token must be requested, and is provided using a json template, populating it this way:

$data["json"] = array(
    "csrf_token" => $this->security->get_csrf_hash()
);

Using that token, a ajax POST request is done, sending user login, password. If ?debugis added to the request url, and the ENVIRONMENT is not production, the complete post request parameters are added to the json output. Like so:

if( !is_null($this->input->get("debug")) && ENVIRONMENT != 'production'){
    $debug = TRUE;
    $data["json"]["post"] = $this->input->post();
}

And I get:

"post": {
    "un": "test",
    "pw": "test"
}

Adding $data["json"]["old_token"] = $this->input->post("csrf_token");gives me "old_token": null

The Cross-site request forgery itself, works as expected: no token, wrong token or expired token gives an error. So Codigniter does receive the token as a supposed to. It seems to be removed from the post data.

Improve this question
2
  • Did you tried ci_csrf_token instead of csrf_token?? Commented Nov 9, 2015 at 11:34
  • I tried, but still null Commented Nov 9, 2015 at 11:52

1 Answer 1

Reset to default
3

After some poking around, I've found the answer. The security class removes the token from the POST array: unset($_POST[$this->_csrf_token_name]); (core/Security.php in csrf_verify() at line 234)

I won't change that line, to be sure the controller keeps functioning after updating Codeigniter.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.