I have CSRF protection enabled on my site, but the only time the CSRF token is placed in a hidden field is when form_close() is used. I am posting data via ajax and need to send the CSRF as well to prevent the 500 errors.
I thought there was a way to explicitly embed the CSRF token into the page, but I can't seem to find it.
How can I get the CSRF token when there isn't a form on the page?
You can get the CSRF token name and value via the security class:
$this->security->get_csrf_hash();
$this->security->get_csrf_token_name();
Add it to the form this way
<input type="hidden" name="<?php echo $this->security->get_csrf_token_name(); ?>" value="<?php echo $this->security->get_csrf_hash(); ?>">
Here is an example that shows you how to enable CSRF Attack mode :
<script>
var cct = '<?php echo $this->security->get_csrf_hash() ?>';
var get_csrf_token_name = '<?php echo $this->security->get_csrf_token_name() ?>';
$.ajaxSetup({
type:'post',
data:{ <?php echo $this->security->get_csrf_token_name() ?> :cct}
});
var siteurl = '<?= site_url()?>';
</script>For anyone looking for an answer in 2023.
I solved this by adding protected \CodeIgniter\Security\Security $security; property into my BaseController class, and assigning the core security class into the property when the initController method is called.
...
// Do Not Edit This Line
parent::initController($request, $response, $logger);
// Preload any models, libraries, etc, here.
$this->security = new Security(config('Security'));
...
© 2022 - 2024 — McMap. All rights reserved.