I have CSRF protection enabled on my site, but the only time the CSRF token is placed in a hidden field is when form_close() is used. I am posting data via ajax and need to send the CSRF as well to prevent the 500 errors.
I thought there was a way to explicitly embed the CSRF token into the page, but I can't seem to find it.
How can I get the CSRF token when there isn't a form on the page?
You can get the CSRF token name and value via the security class:
$this->security->get_csrf_hash();
$this->security->get_csrf_token_name();
Add it to the form this way
<input type="hidden" name="<?php echo $this->security->get_csrf_token_name(); ?>" value="<?php echo $this->security->get_csrf_hash(); ?>">
Here is an example that shows you how to enable CSRF Attack mode :
<script>
var cct = '<?php echo $this->security->get_csrf_hash() ?>';
var get_csrf_token_name = '<?php echo $this->security->get_csrf_token_name() ?>';
$.ajaxSetup({
type:'post',
data:{ <?php echo $this->security->get_csrf_token_name() ?> :cct}
});
var siteurl = '<?= site_url()?>';
</script>
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 贼婆χ 的文章《Getting Codeigniter CSRF token without a form?》','https://www.manongdao.com/article-302014.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}