Codeigniter csrf token not in post array

2019-08-13 18:25发布

问题:

When posting a form with a csrf token, $this->input->post("csrf_token") is empty.

I could post a duplicate csrf_token using another field name. But that looks a bit unnecessary. Is there (another) way to get it?

__

All is done using AJAX. So first of all, a token must be requested, and is provided using a json template, populating it this way:

$data["json"] = array(
    "csrf_token" => $this->security->get_csrf_hash()
);

Using that token, a ajax POST request is done, sending user login, password. If ?debugis added to the request url, and the ENVIRONMENT is not production, the complete post request parameters are added to the json output. Like so:

if( !is_null($this->input->get("debug")) && ENVIRONMENT != 'production'){
    $debug = TRUE;
    $data["json"]["post"] = $this->input->post();
}

And I get:

"post": {
    "un": "test",
    "pw": "test"
}

Adding $data["json"]["old_token"] = $this->input->post("csrf_token");gives me "old_token": null

The Cross-site request forgery itself, works as expected: no token, wrong token or expired token gives an error. So Codigniter does receive the token as a supposed to. It seems to be removed from the post data.

回答1:

After some poking around, I've found the answer. The security class removes the token from the POST array: unset($_POST[$this->_csrf_token_name]); (core/Security.php in csrf_verify() at line 234)

I won't change that line, to be sure the controller keeps functioning after updating Codeigniter.