csrf not updating after ajax call

[v.]

I noticed my ajax form that is updated after eack question always returns the same csrf string.

My code works perfectly for non-ajax pages:

        if ($this->f3->VERB==='POST')
        {
            if( $this->f3->get('POST.session_csrf') ==  $this->f3->get('SESSION.csrf') )
            {    // Things check out! No CSRF attack was detected.
                $this->f3->set('CSRF', $this->f3->session->csrf()); // Reset csrf token for next post request
                $this->f3->copy('CSRF','SESSION.csrf'); // copy token to session
            }
            else{
                echo "DANGER! CSRF ATTACK";
                die;
            }
        }

The session csrf does get posted and the if-post-statement returns true, however it always returns the same csrf.

Do I need to somehow force the script to change the csrf token? If so, how? And why is it not updating it itself, while it does in standard (non-ajax) post requests?

[ved]

Can you post the rest of the code including views and javascript?

[Richard Goldstein]

When do you generate the csrf token? If you are setting it up in a html form (not Ajax) and not getting a new csrf token in Your Ajax call it’s not going to change. Do you do anything to update the csrf field when you update the form via Ajax?

--
-- You've received this message because you are subscribed to the Google Groups group. To post to this group, send an email to f3-fra...@googlegroups.com. To unsubscribe from this group, send an email to f3-framework...@googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/f3-framework?hl=en
---
You received this message because you are subscribed to the Google Groups "Fat-Free Framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to f3-framework...@googlegroups.com.
To post to this group, send email to f3-fra...@googlegroups.com.
Visit this group at https://groups.google.com/group/f3-framework.
To view this discussion on the web visit https://groups.google.com/d/msgid/f3-framework/f83778f5-cc78-4a7d-85f1-f532675940b8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Rich Goldstein, MD

richg...@gmail.com

[v.]

The javascript code:

$(document).ready(function() {
    $('form').submit(function(event) {
        var formData = $( "form" ).serialize();        
        $.ajax({
            type        : 'POST',
            url         : '/process',
            data        : formData,
            dataType    : 'text',
            encode      : true
        })
        .done(function(data) {
            $('#form').html(data);
            $('#q_answer').focus();
        })
        .fail(function(jqXHR, textStatus, errorThrown) {
            alert( JSON.stringify(jqXHR) + ': ' + errorThrown);

        })
        event.preventDefault();
    });
});

It returns a new form item in the view which does not contain anything special. (<form id=form> .... ajax replaced item containing the same csrf token every time (<input type="hidden" name="session_csrf" value="{{ @CSRF }}" />) - button </form>)

When do you generate the csrf token? If you are setting it up in a html form (not Ajax) and not getting a new csrf token in Your Ajax call it’s not going to change. Do you do anything to update the csrf field when you update the form via Ajax?

Clearly I am not updating it, I thought the framework took care of that...

My session is started in the index file, just before the run command

[ved]

So, /process returns an entire new form including <form></form> tags and with the new CSRF token already inside as a hidden field?

Or does the ajax request change the entire form except the token?

[v.]

Hi,

The ajax request loads the entire content between the <form> tags, not the tags themselves. It loads a new csrf as well.The csrf just does not change.

[ved]

Ok, but as I've asked before, if you want us to help, please post your complete code for this issue.

That includes the controller, the views, the javascript etc. Basically all the code that runs until the issue.

We can't guess what your code is doing by narration.

[v.]

Thank you for your help.

In the meantime I have found a bug in the application and now the tokens are updating. I wanted to make sure that they were supposed to update after an ajax call.