JSON请求中的CodeIgniter CSRF令牌 [英] CodeIgniter CSRF token in JSON request
问题描述
我遇到了CodeIgniter/CSRF/JSON的问题.
I ran into an issue with CodeIgniter / CSRF / JSON.
我正在使用Content-Type"application/json向我的PHP后端发送http POST请求.有效负载是JSON数据.我将数据与CSRF令牌一起传递,该令牌已生成并存储在CSRF cookie中.标准的POST FORM请求,效果很好,但是当以JSON发送时失败.
I am sending http POST requests to my PHP backend with the Content-Type "application/json. The payload is JSON data. Along with the data, I pass the CSRF token that is generated and stored in the CSRF cookie. With a standard POST FORM request, it works just fine, but when sending as JSON it fails.
由于$ _POST数组由于JSON内容类型而为空,因此CodeIgniter无法验证cookie并引发错误.
As $_POST array is empty because of the JSON content-type, CodeIgniter fails to validate the cookie and throws an error.
我如何让CodeIgniter检查JSON有效负载并验证我的CSRF令牌?
How can I have CodeIgniter check JSON payload and validate my CSRF token ?
推荐答案
要解决该问题,我必须更改位于"system/core/"中的"Security.php"文件的代码.
To fix that issue, I had to change the code of the "Security.php" file located in "system/core/".
在函数"csrf_verify"中,替换该代码:
In function "csrf_verify", replace that code:
// Do the tokens exist in both the _POST and _COOKIE arrays?
if ( ! isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name]))
{
$this->csrf_show_error();
}
// Do the tokens match?
if ($_POST[$this->_csrf_token_name] != $_COOKIE[$this->_csrf_cookie_name])
{
$this->csrf_show_error();
}
通过该代码:
// Do the tokens exist in both the _POST and _COOKIE arrays?
if ( ! isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name])) {
// No token found in $_POST - checking JSON data
$input_data = json_decode(trim(file_get_contents('php://input')), true);
if ((!$input_data || !isset($input_data[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name])))
$this->csrf_show_error(); // Nothing found
else {
// Do the tokens match?
if ($input_data[$this->_csrf_token_name] != $_COOKIE[$this->_csrf_cookie_name])
$this->csrf_show_error();
}
}
else {
// Do the tokens match?
if ($_POST[$this->_csrf_token_name] != $_COOKIE[$this->_csrf_cookie_name])
$this->csrf_show_error();
}
该代码首先检查$ _POST,然后如果未找到任何内容,则检查JSON有效负载.
That code first checks $_POST then if nothing has been found, it checks the JSON payload.
执行此操作的理想方法是检查传入请求的Content-Type标头值.但是令人惊讶的是,这样做并非直截了当...
The ideal way of doing this would be to check the incoming request Content-Type header value. But surprisingly, it's not straight forward to do ...
如果有人有更好的解决方案,请在此处发布.
If someone has a better solution, please post it here.
欢呼
这篇关于JSON请求中的CodeIgniter CSRF令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!