CSRF dont work with JSON requests

Question

CSRF dont work with JSON requests

xavier-rodet Feb '14

Created Feb '14	Last Reply Dec '14	Replies 2	Views 1511	Votes 0

xavier-rodet 1.5k

Feb '14

Hi,

I had a problem with CSRF, my token was always false and I finally find out why :

I'm sending my form values with an Ajax request to my ajaxController using JSON format !

Here's my code where my token is always false :

public function registerAction() {

$post   =   $this->request->getJsonRawBody();

// checkToken() returns false everytime
if($post && $this->security->checkToken())  {

// DO STUFF with $post values
}

}

To make it works i have to force $_POST values using my json values like that :

public function registerAction() {

$post   =   $this->request->getJsonRawBody();

foreach($post as $postName => $postValue) {

            $_POST[$postName]   =   $postValue;
        }

// checkToken is now working
if($post && $this->security->checkToken())  {

// DO STUFF
}

}

So i'm sharing this problem to everyone who might be in this case, and i'm asking : is there any better/proper way to make it works ? And maybe checkToken() should handle this case ?

Thanks.

Btw : How does syntax highlighter works ? :D

Dylan Anderson · Answer 1 · 2014-02-04T14:39:58-07:00

Dylan Anderson
125.8k

Feb '14

Re: Syntax highlighter: The backticks need to be consecutive - no spaces separating them.

xavier-rodet · Answer 2 · 2014-02-04T14:57:42-07:00

xavier-rodet
1.5k

Feb '14

Wow i didn't noticed them, Thanks!

Anyway, I'm still open to any suggestion about my "problem".

kenjis · Answer 3 · 2014-12-20T23:08:28-07:00

checkToken() checks $_POST by default.

So you need to pass 2 args:

checkToken ([string $tokenKey], [string $tokenValue])

https://docs.phalcon.io/en/latest/api/Phalcon_Security.html