Codeigniter csrf token not in post array

2019-08-13 18:33发布

When posting a form with a csrf token, $this->input->post("csrf_token") is empty.

I could post a duplicate csrf_token using another field name. But that looks a bit unnecessary. Is there (another) way to get it?

All is done using AJAX. So first of all, a token must be requested, and is provided using a json template, populating it this way:

$data["json"] = array(
    "csrf_token" => $this->security->get_csrf_hash()
);

Using that token, a ajax POST request is done, sending user login, password. If ?debugis added to the request url, and the ENVIRONMENT is not production, the complete post request parameters are added to the json output. Like so:

if( !is_null($this->input->get("debug")) && ENVIRONMENT != 'production'){
    $debug = TRUE;
    $data["json"]["post"] = $this->input->post();
}

And I get:

"post": {
    "un": "test",
    "pw": "test"
}

Adding $data["json"]["old_token"] = $this->input->post("csrf_token");gives me "old_token": null

The Cross-site request forgery itself, works as expected: no token, wrong token or expired token gives an error. So Codigniter does receive the token as a supposed to. It seems to be removed from the post data.

标签： codeigniter http-post csrf codeigniter-3

1条回答

Explosion°爆炸

2楼-- · 2019-08-13 19:16

After some poking around, I've found the answer. The security class removes the token from the POST array: unset($_POST[$this->_csrf_token_name]); (core/Security.php in csrf_verify() at line 234)

I won't change that line, to be sure the controller keeps functioning after updating Codeigniter.

0人赞添加讨论(0) 举报

Codeigniter csrf token not in post array

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间