在提交Ajax时重新生成CRSF令牌codeigniter [英] Regenerate CRSF token codeigniter on submit Ajax
问题描述
我正在寻找使用Ajax提交表单时在Codeigniter中重新生成csrf令牌的过程。我希望在不刷新页面的情况下重新生成令牌。有什么办法做。
根据情况,我在不同时间使用两种解决方案。
>1。有点混乱,但建议
在控制器中获取令牌名称和哈希值,并将其设置为数据字段在页面上的任何位置(无论您选择何处) 。例如
//获取数据并将其传递给您的视图
$ token_name = $ this-> security -> get_csrf_token_name();
$ token_hash = $ this->安全性-> get_csrf_hash();
//在您的视图文件中,将其加载到div中,例如
< div id = my_div data-token =<?php echo $ token_name;?> data-hash =<?php echo $ token_name;?>
现在在您的js ajax代码中,您只需读取 my_div中的数据值即可您的ajax调用的正确数据。
如果页面上有一个真正的表单,这会变得容易得多,在这种情况下,与其使用某些div相比,不使用表单上的form_open而是,
< input type = hidden id = my_data name =<?= $ csrf ['name'];?> value =<?= $ csrf ['hash'];?> />
这很重要:当然,在发送帖子数据后,您需要刷新令牌哈希值(在表单输入字段或div数据中,但是您已选择这样做)。编写一个名为 refresh_csrf_data的js函数,然后使用 GET获取数据并更新字段。每当您完成ajax发布后,都可以调用此函数。
因此,每个ajax调用都读取令牌数据,执行该调用,然后刷新令牌数据,为
2。简单但安全性较低
或者,您也可以使用
$ config ['csrf_exclude_uris'] = array('controller / method');
在CSRF设置的配置文件中。
3。甚至更简单,但也不太安全,我不使用它。
最后,您可以关闭每次提交时重新生成CSRF哈希值
$ config ['csrf_regenerate'] =否;
但是,请谨慎行事。
最适合您的答案完全取决于页面的类型,使用情况(如果用户以的身份登录)是不是时间,这是关键任务还是次要任务,还是财务等等。
没有什么是绝对安全的,因此有时是一种妥协。就我个人而言,我将使用CSRF进行完全重新生成,而URI中没有例外,并在需要时重新加载令牌和哈希数据。这似乎很复杂,需要解释,但是一旦完成一次,就真的很容易在需要时再做一次,而且您的站点将比避免其他问题简单得多。 / p>
Hi I am looking for the process of regeneration of csrf token in codeigniter when ever a form is submitted using ajax. I want the token to be regenerated without page refresh. Is there any way to do that.
There are two solutions I use at different times depending on the situation.
1. Slightly messy way but recommended
Get the token name and hash value in your controller and set it somewhere on your page as a data field (wherever you choose). For instance
// get the data and pass it to your view
$token_name = $this->security->get_csrf_token_name();
$token_hash = $this->security->get_csrf_hash();
// in your view file, load it into a div for instance
<div id="my_div" data-token="<?php echo $token_name; ?>" data-hash="<?php echo $token_name; ?>"
Now in your js ajax code, you can just read the data values in "my_div" to get the right data for your ajax call.
It is made much easier if you have a genuine form on your page, in which case rather than using some div, just do not use form_open on the form, but instead create the hidden form field yourself, so you can read it easily via js.
<input type="hidden" id="my_data" name="<?=$csrf['name'];?>" value="<?=$csrf['hash'];?>" />
This is the important bit: Of course after sending post data, you need to refresh the token hash value (in your form input field or a div data, however you have chosen to do it). Write a js function called 'refresh_csrf_data' and use 'GET' to get the data and update the fields. This function can then be called whenever you have done an ajax post.
So every ajax call reads the token data, does the call, then refreshes the token data ready for the next call.
2. Easy but less secure
Alternatively, you can disable CSRF for your ajax calls by using the
$config['csrf_exclude_uris'] = array('controller/method');
in the config file for CSRF settings.
3. Even easier but also less secure and I do not use it Finally, you could turn off regenerating CSRF hash on every submission
$config['csrf_regenerate'] = FALSE;
But, do so with caution. This can open you up to certain types of attacks.
The answer that is best for you depends entirely on the type of page, the usage, if users are logged in at the time or not, is it mission critical stuff or minor stuff, is it financial etc.
Nothing is entirely secure, so it is a compromise sometimes. Personally I would do it with CSRF on full regenerate, no exceptions in the URI's, and reload the token and hash data whenever I needed to. It seems complicated and it is to explain, but once you have done it once, it is genuinely easy to do again and again whenever you need it, and your site will be far more secure than simply avoiding the issue with the other options.
这篇关于在提交Ajax时重新生成CRSF令牌codeigniter的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
