CodeIgniter& CSRF

时间:2017-11-07 13:22:14

标签: php jquery ajax codeigniter csrf

当用户登录时,他可以使用小表单执行搜索。这是对控制器的AJAX请求。我可以多次执行此操作。但是,当我尝试重新加载页面时,用户已注销并需要再次登录。

这是我的JS:

var CFG = {
        url: '<?php echo $this->config->item('base_url'); ?>',
        token: '<?php echo $this->security->get_csrf_hash(); ?>'
};


$(function() 
{

    $('#personen_search_result').hide();
    $('#search_alert').hide();

    $.ajaxSetup(
    {
        data: 
        {
            token:CFG.token
        }
    });

    $(document).ajaxSuccess(function(e,x)
    {
        var result = $.parseJSON(x.responseText);
        $('input:hidden[name="token"]').val(result.token);
        $.ajaxSetup(
        {
            data: 
            {
                token: result.token
            }
        });
    });


    $( "#submit_personen" ).click(function(event) 
    {


        event.preventDefault();

        var namelast        = $('#namelast').val();
        var dateofbirth     = $('#dateofbirth').val();
        var rijksregisternr = $('#rijksregisternr').val();
        var email           = $('#email').val();
        var hosid           = <?php echo $this->session->hosid; ?>;


        $.ajaxSetup(
        {
            data:
            {
                nameLast: namelast,
                dateofBirth: dateofbirth,
                rijksregisterNr: rijksregisternr,
                email: email, 
                hosid: hosid
            }
        });

        $('#table_personen').html("");
        $('#search_alert').html("").hide();

        $.post(CFG.url + 'persoon/js_retrieve', function(data)
        {

            if(data['status']   == 200)
            {
                var personenrows        = data['html'];
                $('#table_personen').append (personenrows);

                if (!$('#personen_search_result').is(':visible'))
                    $('#personen_search_result').slideToggle();
            }
            else if (data['status'] == 400)
            {
                var message         = data['html'];
                $('#search_alert').append(message);

                if (!$('#search_alert').is(':visible'))
                    $('#search_alert').slideToggle();
            }
        }, 'json');


    });
});

这是我的控制者:

public function js_retrieve()
{

    // Data preperations

    // Query Builder



    if ($result->num_rows() == 0)
    {

        // No result: error message
        $data['html']       = '<span class="alert">Geen personen gevonden.</span>';
        $data['status']     = 400;
    }
    else
    {

        // Good result, show list in table
        // table header 
        $html               = '<thead class="thead-light"><tr><th>Naam</th>th>Voornaam</th><th>Geboortedatum</th><th>Rijksregister</th><th>status</th></tr><tbody>';

        // create rows
        foreach ($result->result_array() as $row)
        {
            $html           .= 
                '<tr>/\n<td><a href="'. base_url( 'persoon/detail/' .$row['id']  ) .'">' . $row['NameLast'] .', '. $row['NameFirst'] . '</a></td>/\n<td>' . $row['DateofBirth'] . '</td>/\n<td>' . $row['RijksRegisterNumber'] . '</td>/\n<td>' . $row['Status'] . '</td></tr>';
        }

        // close body
        $data['html']       = $html . '</tbody>';

        // status
        $data['status']     = 200;
    }



    // Set CSRF token hash & headers        
    $data['oldtoken']       = $this->input->post('token');
    $data['token']          = $this->security->get_csrf_hash();

    if (!headers_sent())
    {
        header('Cache-Control: no-cache, must-revalidate');
        header('Expires: ' . date('r'));
        header('Content-type: application/json');
    }

    // return result
    exit( json_encode($data , JSON_FORCE_OBJECT) );
}

任何可以给我一些指导的人吗?

PS:这些是我的配置:

$config['csrf_token_name'] = 'token';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = FALSE;
$config['csrf_exclude_uris'] = array();

1 个答案:

答案 0 :(得分:0)

这不是一个答案,因为对于评论而言,它是一个故障排除测试。试试这个:

$this->output->set_header('Cache-Control: no-store, no-cache, must-revalidate');
$this->output->set_content_type('application/json');
$this->output->set_output(json_encode($data, JSON_FORCE_OBJECT));
$this->output->_display();
exit;