我目前的工作我的CI3项目,我有一些问题CSRF_Regeneration。
我的目的:
当用户登录和注册时,我将使用CSRF通过检查是否存在电子邮件来保护我的表单数据,或者在用户输入电子邮件时不使用它。
如果CSRF_generation为False,那是可行的
当我将CSRF_Regeneration 配置为False并且csrf_expire将在7200到期时,这是可行的。
问题当我将 CSRF_generation设置为 TRUE时,将发生以下问题
POST http://localhost/com/account/register 403 (Forbidden)
这是检查邮件是否存在的Ajax
<script type="text/javascript">
$(document).ready(function () {
$("#email-error").css({'display': 'none', 'color': 'red'});
$("#email").keyup(function () {
var emailValue = $("#email"); // This is a bit naughty BUT you should always define the DOM element as a var so it only looks it up once
var tokenValue = $("input[name='csrf_token_name']");
// console.log('The Email length is ' + emailValue.val().length);
if (emailValue.val().length >= 0 || emailValue.val() !== '') {
// console.log('Token is ' + tokenValue.val()); // Now why is this not getting the coorect value?? It should
$.ajax({
type: "post",
url: "<?php echo base_url('account/check_user_existing'); ?>",
data: {
'<?php echo $this->security->get_csrf_token_name(); ?>': tokenValue.val(),
email: $("#email").val()
},
dataType: "json",
cache: false,
success: function (data) {
// console.log('The returned DATA is ' + JSON.stringify(data));
// console.log('The returned token is ' + data.token);
tokenValue.val(data.token);
if (data.response == false) {
$("#email-error").css({'display': 'none'});
$(".form-error").css({'border': '', 'background-color': '', 'color': ''});
document.getElementById("csubmit").disabled = false;
} else {
$("#email-error").css({'display': 'inline', 'font-size': '12px'});
$(".form-error").css({'border': '1px solid red', 'background-color': 'rgba(255, 0, 0, 0.17)', 'color': 'black'});
document.getElementById("csubmit").disabled = true;
}
}
});
}
});
});
</script>
这是我的表格
<?PHP echo form_open('account', array('method' => 'POST', 'id' =>'createform')); ?>
<div class="control-group">
<label class="control-label" for="lname">Last Name</label>
<div class="control">
<?PHP echo form_input('lastname', set_value('lastname', ''), 'id="lastname" class="form-control ln-error" ') ?>
</div>
</div>
<div class="control-group">
<label class="control-label" for="fname">First Name</label>
<div class="control">
<?PHP echo form_input('firstname', set_value('firstname', ''), 'id="firstname" class="form-control ln-error" ') ?>
</div>
</div>
<div class="control-group">
<label class="control-label" for="email"> Email <span id="email-error">Email is existed</span></label>
<div class="control">
<?PHP echo form_input('email', set_value('email', ''), 'id="email" class="form-control ln-error" placeholder="Example@website.com" ') ?>
</div>
</div>
<div class="control-group">
<label class="control-label" >Password</label>
<div class="control">
<?PHP echo form_password('pass', set_value('pass', ''), 'id="pass" class="form-control ln-error" ') ?>
</div>
</div>
<div class="control-group">
<div class="controls">
<?PHP echo form_submit('csubmit', "Create Account", 'id="csubmit" class="btn btn-success btn-lg" ') ?>
</div>
</div>
<?PHP echo form_close(); ?>
这是控制器检查用户的方法
public function check_user_existing() {
$data = $this->input->post('email'); // This should be passed in as a parameter as depending upon Form Names isn't that good.
$new_token = $this->security->get_csrf_hash();
$response = FALSE; // Set the default so we know what it is in case the IF fails or we could use an else at the end but this is nicer.
$check_email = $this->user->check_user_exist_email($data);
if ($check_email == TRUE) {
$response = TRUE; // Change it to TRUE if it's true but our $response Always has a KNOWN Value :)
}
echo json_encode(array('response' => $response, 'token' => $new_token));
exit(); // This is here for safety... Terminate and leave!
}
谢谢你的建议
我有这个问题,我也没有想设置csrf_regeneration到FALSE,因为它是不太安全。
所以我做了以下事情:
csrf_token_name = '<?php echo $this->security->get_csrf_token_name(); ?>';
csrf_cookie_name = '<?php echo $this->config->item('csrf_cookie_name'); ?>';
$(function ($) {
// this bit needs to be loaded on every page where an ajax POST
var object = {};
object[csrf_token_name] = $.cookie(csrf_cookie_name);
$.ajaxSetup({
data: object
});
$(document).ajaxComplete(function () {
object[csrf_token_name] = $.cookie(csrf_cookie_name);
$.ajaxSetup({
data: object
});
});
});
如果您使用的是blueimp / jQuery-File-Upload,则可以执行以下操作:
$('#fileupload').bind('fileuploadsubmit', function (e, data) {
data.formData = [
{name: csrf_token_name, value: $.cookie(csrf_cookie_name)}
]
});
参考文献:
| 归档时间: |
|
| 查看次数: |
2855 次 |
| 最近记录: |