Ajax CSRF question

For Joomla! 3.x Coding related discussions, please use: http://groups.google.com/group/joomla-dev-general

Moderator: ooffick

Forum rules
Please use the mailing list here: http://groups.google.com/group/joomla-dev-general rather than this forum.
Post Reply
DevDevil
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Apr 09, 2018 9:11 am

Ajax CSRF question

Post by DevDevil » Tue Apr 10, 2018 7:13 am

I have a form that uses ajax post to fetch data.

According to https://docs.joomla.org/How_to_add_CSRF ... g_to_forms, I have to insert a php command in my form to generate a hidden type, and a php command in my code before handling my query that generates a check for tokens. Which I've done.

But how should I send this token through my ajax request? Currently I fetch the token from my form using serialize on the form object, slice it up to only contain the randomized string from the hidden type and then inserts it into the header of my request, while the other data I wish to send goes into the data part of my request, which passes the token check later in the function that carries our the query. But is that a secure way to do it?

From what I've read somewhere else, I could also leave the token be in the serialized data from the form, and then pass it through the data in the request.
Last edited by toivo on Tue Apr 10, 2018 9:20 am, edited 1 time in total.
Reason: mod note: moved to 3.x Coding

mbabker
Joomla! Hero
Joomla! Hero
Posts: 2176
Joined: Sun Feb 28, 2010 8:26 pm

Re: Ajax CSRF question

Post by mbabker » Tue Apr 10, 2018 11:59 am

If you're serializing the form and submitting it as a POST request (essentially the same as a normal form submission as a HTTP request does), there's nothing extra you need to do. The only time you'd really need to get the CSRF to include in a request on your own in AJAX stuff is if you're doing operations where your data set doesn't have a CSRF token already defined as part of it, and as of 3.8 that's a little bit easier with the inclusion of https://github.com/joomla/joomla-cms/pull/14952
So long and thanks for all the fish.

Manually updating Joomla? See https://gist.github.com/mbabker/d7bfb4e ... 3607f89281


Post Reply

Return to “Joomla! 3.x Coding”