Codeigniter csrf令牌不在post数组中 [英] Codeigniter csrf token not in post array
问题描述
发布带有csrf令牌的表单时, $ this-> input-> post(csrf_token)为空。
When posting a form with a csrf token, $this->input->post("csrf_token") is empty.
我可以使用其他字段名称发布重复的csrf_token。但这看起来有点不必要。
有(另一种)方法吗?
I could post a duplicate csrf_token using another field name. But that looks a bit unnecessary. Is there (another) way to get it?
__
全部使用AJAX完成。首先,必须请求令牌,并使用json模板提供,以这种方式填充:
All is done using AJAX. So first of all, a token must be requested, and is provided using a json template, populating it this way:
$data["json"] = array(
"csrf_token" => $this->security->get_csrf_hash()
);
使用该令牌,完成ajax POST请求,发送用户登录名,密码。如果将?debug 添加到请求URL,并且环境不生产,则将完整的post请求参数添加到json输出。像这样:
Using that token, a ajax POST request is done, sending user login, password. If ?debugis added to the request url, and the ENVIRONMENT is not production, the complete post request parameters are added to the json output. Like so:
if( !is_null($this->input->get("debug")) && ENVIRONMENT != 'production'){
$debug = TRUE;
$data["json"]["post"] = $this->input->post();
}
我得到:
"post": {
"un": "test",
"pw": "test"
}
添加 $ data [json] [old_token] = $ this->输入 - > post(csrf_token); 给我old_token:null
跨站点请求伪造本身,按预期工作:没有令牌,错误令牌或过期令牌会出错。因此,Codigniter确实收到了令牌。它似乎被从帖子数据中删除。
The Cross-site request forgery itself, works as expected: no token, wrong token or expired token gives an error. So Codigniter does receive the token as a supposed to. It seems to be removed from the post data.
推荐答案
经过一番探索之后,我找到了答案。安全类从POST数组中删除令牌: unset($ _ POST [$ this-> _csrf_token_name]); (
After some poking around, I've found the answer. The security class removes the token from the POST array: unset($_POST[$this->_csrf_token_name]); (core/Security.php in csrf_verify() at line 234)
我不会更改该行,以确保控制器在更新Codeigniter后仍然有效。
I won't change that line, to be sure the controller keeps functioning after updating Codeigniter.
这篇关于Codeigniter csrf令牌不在post数组中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
