How to check if Token is correct via Post Form and Ajax?
1,513 views
Skip to first unread message
Maik
Jun 19, 2014, 9:01:33 AM6/19/14
to joomla-de...@googlegroups.com
Hello,
i have a Form which is send via JQuery / Ajax as POST.
Tokenpart in Form default.php:
<?php echo JHtml::_('form.token'); ?>
Tokenpart and URL in JS File for testing:
nothing
url: "index.php?option=com_mfc&task=Profile.sendMailProblem&format=json",
Token in json.php:
JSession::getFormToken('post') or jexit(JText::_('JINVALID_TOKEN'));
The problem in this example is, that i can read the values but for my understanding i didnt submit the token so it should be an invalid token message, or not?
Thx
i have a Form which is send via JQuery / Ajax as POST.
Tokenpart in Form default.php:
<?php echo JHtml::_('form.token'); ?>
Tokenpart and URL in JS File for testing:
nothing
url: "index.php?option=com_mfc&task=Profile.sendMailProblem&format=json",
Token in json.php:
JSession::getFormToken('post') or jexit(JText::_('JINVALID_TOKEN'));
The problem in this example is, that i can read the values but for my understanding i didnt submit the token so it should be an invalid token message, or not?
Thx
Viper
Jun 19, 2014, 9:19:42 AM6/19/14
to joomla-de...@googlegroups.com
url: "index.php?option=com_mfc&task=Profile.sendMailProblem&format=json",
data: { '<?php echo JSession::getFormToken(); ?>': 1 }
data: { '<?php echo JSession::getFormToken(); ?>': 1 }
Maik
Jun 19, 2014, 9:40:15 AM6/19/14
to joomla-de...@googlegroups.com
Hello Viper,
and thanks - yes i found this one in the net too and tested it, but my problem is if i dont use any kind of token in the .js the form will submitted too and the token check didnt register this - i think
and thanks - yes i found this one in the net too and tested it, but my problem is if i dont use any kind of token in the .js the form will submitted too and the token check didnt register this - i think
Viper
Jun 19, 2014, 9:55:25 AM6/19/14
to joomla-de...@googlegroups.com
You mean that you cannot see the token in the POST? Or you cannot get it on the server side?
And that is it?
JSession::getFormToken('post')
Do you read the docs?
PS! JSession::checkToken()
And that is it?
JSession::getFormToken('post')
Do you read the docs?
PS! JSession::checkToken()
Maik
Jun 19, 2014, 10:13:09 AM6/19/14
to joomla-de...@googlegroups.com
It is all ok with the form. I can see the token and call the form and get an result, but i dind understand why the tokencheck is valid if i use all as you see above. Yes i see the docs.. If i use it like this:
.....
jQuery.ajax({
url: "index.php?option=com_mfc&task=Profile.sendMailProblem&format=json",
// url: "index.php?option=com_mfc&task=Profile.sendMailProblem&format=json&' +userToken +'=1'",
// url: "index.php?option=com_mfc&task=Profile.sendMailProblem&format=json&'.JSession::getFormToken().'=1'",
// url: "index.php?option=com_mfc&task=Profile.sendMailProblem&format=raw&'. JUtility::getToken() .'=1'",
type: "POST",
data: DataString,
dataType: 'JSON',
'<?php echo JSession::getFormToken()?>': 1,
cache: true,
success: function(data)
...
i run into the error:function() - if not all seems to be alright. so if i gave a parameter for the token through the .js i got an error if not all seems ok but i am not sure if the token was checked correctly. Above you can see that i tested some other urls.. Hope you understand me.
.....
jQuery.ajax({
url: "index.php?option=com_mfc&task=Profile.sendMailProblem&format=json",
// url: "index.php?option=com_mfc&task=Profile.sendMailProblem&format=json&' +userToken +'=1'",
// url: "index.php?option=com_mfc&task=Profile.sendMailProblem&format=json&'.JSession::getFormToken().'=1'",
// url: "index.php?option=com_mfc&task=Profile.sendMailProblem&format=raw&'. JUtility::getToken() .'=1'",
type: "POST",
data: DataString,
dataType: 'JSON',
'<?php echo JSession::getFormToken()?>': 1,
cache: true,
success: function(data)
...
i run into the error:function() - if not all seems to be alright. so if i gave a parameter for the token through the .js i got an error if not all seems ok but i am not sure if the token was checked correctly. Above you can see that i tested some other urls.. Hope you understand me.
Viper
Jun 19, 2014, 10:34:46 AM6/19/14
to joomla-de...@googlegroups.com
JSession::getFormToken('post') is wrong! This method accept only boolean values, but you passing a string. All tokens always get from the $_POST.
Maik
Jun 19, 2014, 10:44:07 AM6/19/14
to joomla-de...@googlegroups.com
But shouldnt it throw an error or something like this because of security??
Then this is correct:
url: "index.php?option=com_mfc&task=Profile.sendMailProblem&format=json",
Then this is correct:
url: "index.php?option=com_mfc&task=Profile.sendMailProblem&format=json",
type: "POST",
data: DataString,
'<?php echo JSession::getFormToken()?>': 1,
=> doesnt work - error
Viper
Jun 19, 2014, 11:58:35 AM6/19/14
to joomla-de...@googlegroups.com
You're completely wrong! Read the manual carefully.
js
type: 'POST',
url: 'index.php?option=com_mfc&task=Profile.sendMailProblem&format=json',
data: $('form').serialize() // Example
When check the token in the controller
public function blabla() {
JSession::checkToken() or jexit('Wrong token');
}
But you trying to put unrecognized parameter in the $.ajax method.
js
type: 'POST',
url: 'index.php?option=com_mfc&task=Profile.sendMailProblem&format=json',
data: $('form').serialize() // Example
When check the token in the controller
public function blabla() {
JSession::checkToken() or jexit('Wrong token');
}
But you trying to put unrecognized parameter in the $.ajax method.
Maik
Jun 19, 2014, 3:14:06 PM6/19/14
to joomla-de...@googlegroups.com
Hi,
sorry id dont understand this ?! I take this from some tutorials, so what whould be the right way to send a post form via ajax/jquery ?
sorry id dont understand this ?! I take this from some tutorials, so what whould be the right way to send a post form via ajax/jquery ?
Viper
Jun 19, 2014, 3:25:52 PM6/19/14
to joomla-de...@googlegroups.com
Example:
<script type="text/javascript">
jQuery(document).ready(function($){
$('form').submit(function(e){
e.preventDefault();
$.post($(this).attr('action'), $(this).serialize(), function(response){
alert(response);
});
});
});
</script>
<form action="index.php?option=com_mfc&task=Profile.sendMailProblem&format=json">
<input ... />
<input ... />
<input ... />
<script type="text/javascript">
jQuery(document).ready(function($){
$('form').submit(function(e){
e.preventDefault();
$.post($(this).attr('action'), $(this).serialize(), function(response){
alert(response);
});
});
});
</script>
<form action="index.php?option=com_mfc&task=Profile.sendMailProblem&format=json">
<input ... />
<input ... />
<input ... />
<?php echo JHtml::_('form.token'); ?>
<input type="submit" value="Send form" />
</form>
</form>
Maik
Jun 20, 2014, 2:48:51 AM6/20/14
to joomla-de...@googlegroups.com
Hi,
ok undertstand that. But back to my initial question. Should "JSession::getFormToken('get') or jexit(JText::_('JINVALID_TOKEN')); " in my case throw an error, if it where submitted wrong?
ok undertstand that. But back to my initial question. Should "JSession::getFormToken('get') or jexit(JText::_('JINVALID_TOKEN')); " in my case throw an error, if it where submitted wrong?
Viper
Jun 20, 2014, 3:41:34 AM6/20/14
to joomla-de...@googlegroups.com
You're wrong again.
JSession::getFormToken('get') - WRONG!!!!!!
Use JSession::checkToken()
JSession::getFormToken('get') - WRONG!!!!!!
Use JSession::checkToken()
Maik
Jun 20, 2014, 4:36:16 AM6/20/14
to joomla-de...@googlegroups.com
Mh ok, but have a look at: http://docs.joomla.org/How_to_add_CSRF_anti-spoofing_to_forms
Viper
Jun 20, 2014, 7:50:32 AM6/20/14
to joomla-de...@googlegroups.com
And that? serialize() will get all data from the inputs. You can POST the token via input or as data: {'<?php echo JSession::getFormToken(); ?>':1}
Korzo
Jun 21, 2014, 9:00:44 AM6/21/14
to joomla-de...@googlegroups.com
Forget about tutorial you read and take a look at Joomla source code.
JHtml::_('form.token') returns :
<input type="hidden" name="' . JSession::getFormToken() . '" value="1" />
Take a look a look at example Viper posted before. There is all you need to post your data with ajax. You only need to handle response instead of alert it.
Then in your controller you can verify the token with:
JSession::getFormToken() returns token.
This method has no parameter, unless you need new token. Then you pass true as parameter.
JSession::checkToken() verifies, if token is valid and returns true or false. Parameter of this method is HTTP request method with default 'post'
<input type="hidden" name="' . JSession::getFormToken() . '" value="1" />
Take a look a look at example Viper posted before. There is all you need to post your data with ajax. You only need to handle response instead of alert it.
Then in your controller you can verify the token with:
JSession::checkToken() or jexit('Wrong token');
Tom Hutchison
Jun 22, 2014, 11:13:26 AM6/22/14
to Joomla Dev List
Korzo
If you feel the tutorial is not clear enough or can be worded better, please improve it.
Thanks
Tom
--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-gene...@googlegroups.com.
To post to this group, send email to joomla-de...@googlegroups.com.
Visit this group at http://groups.google.com/group/joomla-dev-general.
For more options, visit https://groups.google.com/d/optout.
----
Tom Hutchison
Joomla! Production Leadership Team
Korzo
Jun 22, 2014, 12:13:37 PM6/22/14
to joomla-de...@googlegroups.com
Tom,
Sorry for the poor wording.
I meant "some tutorial" mentioned in earlier (9th) mail, which I think was source of confusion with JSession::getFormToken() method.
Tutorial at docs.joomla.org is perfectly clear.
On Sunday, June 22, 2014 5:13:26 PM UTC+2, Tom Hutchison wrote:
KorzoIf you feel the tutorial is not clear enough or can be worded better, please improve it.ThanksTom
On Sat, Jun 21, 2014 at 9:00 AM, Korzo <korz...@gmail.com> wrote:
Forget about tutorial you read and take a look at Joomla source code.JSession::getFormToken() returns token.This method has no parameter, unless you need new token. Then you pass true as parameter.JSession::checkToken() verifies, if token is valid and returns true or false. Parameter of this method is HTTP request method with default 'post'JHtml::_('form.token') returns :
<input type="hidden" name="' . JSession::getFormToken() . '" value="1" />
Take a look a look at example Viper posted before. There is all you need to post your data with ajax. You only need to handle response instead of alert it.
Then in your controller you can verify the token with:
JSession::checkToken() or jexit('Wrong token');
On Friday, June 20, 2014 10:36:16 AM UTC+2, Maik wrote:Mh ok, but have a look at: http://docs.joomla.org/How_to_add_CSRF_anti-spoofing_to_forms
--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-general+unsub...@googlegroups.com.
To post to this group, send email to joomla-de...@googlegroups.com.
Visit this group at http://groups.google.com/group/joomla-dev-general.
For more options, visit https://groups.google.com/d/optout.
Tom Hutchison
Jun 22, 2014, 12:31:35 PM6/22/14
to joomla-de...@googlegroups.com
No problem, thanks!
Tom
---
Tom Hutchison
Joomla! Production Leadership
Tom Hutchison
Joomla! Production Leadership
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-gene...@googlegroups.com.
Maik
Jun 23, 2014, 9:16:44 AM6/23/14
to joomla-de...@googlegroups.com
Hi,
ok understand. Yes i have too look more into the source code, but for me as a beginner its quite simpler to understand a tutorial as the right part in the source code ;). But think Tom is right too - there aret Tutorials and these must be actual and correct ;).
But my problem is: if i write the js. like this:
jQuery("#report_problem").click(function(){
var reportUser = jQuery("#reportUser").val();
var ProfileUser = jQuery("#ProfileUser").val();
var dropFehler = jQuery("#dropFehler option:selected").val();
var inputFehlerText = jQuery("#inputFehlerText").val();
var DataString = 'reportUser='+reportUser+'&ProfileUser='+ProfileUser+'&dropFeher='+dropFehler+'&inputFehlerText='+inputFehlerText;
jQuery.ajax({
ok understand. Yes i have too look more into the source code, but for me as a beginner its quite simpler to understand a tutorial as the right part in the source code ;). But think Tom is right too - there aret Tutorials and these must be actual and correct ;).
But my problem is: if i write the js. like this:
jQuery("#report_problem").click(function(){
var reportUser = jQuery("#reportUser").val();
var ProfileUser = jQuery("#ProfileUser").val();
var dropFehler = jQuery("#dropFehler option:selected").val();
var inputFehlerText = jQuery("#inputFehlerText").val();
var DataString = 'reportUser='+reportUser+'&ProfileUser='+ProfileUser+'&dropFeher='+dropFehler+'&inputFehlerText='+inputFehlerText;
jQuery.ajax({
url: "index.php?option=com_mfc&task=Profile.sendMailProblem&format=json",
type: "POST",
data: DataString,
type: "POST",
data: DataString,
dataType: 'JSON',
cache: true,
success: function(data)
{
alert(data);
if (jQuery.isEmptyObject(data)){
}else{
alert("Error");
};
},
error: function()
{
alert("Error in Communication");
},
complete:function(){
}
});
});
the checkToken is true, so where and how was it checked? As far as i understand the Token should transmitted (like Viper wrote), so it must false and the error message "invalid token" has to show. You know what my question is? Sorry but i want understand it.
cache: true,
success: function(data)
{
alert(data);
if (jQuery.isEmptyObject(data)){
}else{
alert("Error");
};
},
error: function()
{
alert("Error in Communication");
},
complete:function(){
}
});
});
the checkToken is true, so where and how was it checked? As far as i understand the Token should transmitted (like Viper wrote), so it must false and the error message "invalid token" has to show. You know what my question is? Sorry but i want understand it.
Reply all
Reply to author
Forward
0 new messages