Currently, I am developing with Codeigniter. Inside my Codeigniter, there are 15 ajax request calls. Every time there is a request, it updates csrf token value. The problem is when it request more than 15 times, it gives '403 Forbidden' error.
Is there a limit within Codeigniter? If there is, how do I remove this limit?
Thank you in advance.
There's no such limit. You're just not keeping track of CSRF token updates.
Each time you submit a POST request, CodeIgniter will re-generate its CSRF token and send it back as the new CSRF cookie value in the response.
If you don't update your pre-generated forms (or other types of ajax request data) with the new value, they'll still have the old token and fail validation.
You can disable regeneration altogether by setting $config['csrf_regenerate'] = false; in your config/config.php file, but this is discouraged. The proper thing to do is to keep track of the token changes.
Related
I have sessions enabled in Django to use Django's authentication framework.
From a html page served by Django, and after authenticating as a user with sufficient permissions, I'm trying to send a PATCH request via JQuery's ajax() function, and I'm getting HTTP 403 errors with the response detail CSRF Failed: CSRF token missing or incorrect.
What I've done so far:
I'm including the correct csrf token in the X-CSRF-TOKEN header field.
I've set SESSION_COOKIE_HTTPONLY = False.
The cookie sent in the ajax request includes the sessionid. If I get rid of this sessionid, the request succeeds.To do so, I either delete the session cookies in the browser or edit the PATCH request in the browser's developer tools and resend it with the sessionid deleted from the Cookie header field. Obviously I need to re-login as soon as I refresh the page, but in the meantime, I can PATCH to my heart's content.
So far I couldn't find out why the presence of the sessionid cookie makes Django deny the request.
I want to enable CSRF in my SailsJS and Angular 2 application but I have been having endless problems.
The Angular app is on a page that is only accessible after a user has logged in, controlled by Sails policies.
Then I http.get the CSRF token from the /csrfToken route and store it, adding it to HTTP headers when doing a POST.
I was continually getting CSRF mismatch errors and I finally realised that the /csrfToken route was returning a different value every time, both from a http.get and also when accessing the URL from the browser.
It wasn't clear that this was happening when I went through this tutorial (see 00:30) for a multi-page application where the CSRF value is submitted as a hidden field in a form, and there doesn't seem to be any mention of how to change this behaviour in the Sails documentation.
How can I configure Sails so that it will maintain a single CSRF value for a session?
UPDATE: It’s working now
I have made my update an answer as advised.
It turns out that there were different issues that were causing my problems.
My code had become so fragmented that I didn’t realise I was referencing an older function that was putting the CSRF into the header wrong.
I rolled back a bunch of client-side code and then magically the CSRF value remained consistent between Ajax calls and also worked correctly in the POST request.
So I guess there was something in my fragmented code that had caused the CSRF token to change between API calls but I don’t know what it was.
Visiting /csrfToken in the browser still produces a different result every time but it does not seem to affect the API calls.
EDIT
I discovered that the CSRF changes with each request to /csrfToken. One of my mistakes was that after I stored the CSRF value the first time I then (accidentally) requested a new /csrfToken again later, which then invalidated the stored value. Using the stored value would then result in a CSRF mismatch error as a new value had been issued.
I am using polymer to send ajax requests to my Drupal services api.
I send a POST to login and then a POST to create a node. When I login I am given a token which I store and pass to the next request.
I am monitoring the the requests and responses with Charles, the token is being sent, the cookie is being set and passed on the 2nd POST but I get an "Unauthorized : CSRF validation failed" response.
When I send the request with Postman It works like a dream but for some reason it doesn't validate when sent with my app.
I have checked the token being set matches the one being sent and the only difference I've noticed is that when it's being sent again there is a prefix of ga_; something to do with google analytics?
The expiry of the token is a month away the token matches what is returned at login and is being sent correctly. The header accepts X-CSRF-Token in the Access-Control-Allow-Headers.
My CORS module code is:
api/*|<mirror>|GET, POST, PUT, OPTIONS|Authorization, Origin, Content-Type, X-CSRF-Token|true
If any body has a similar issue, mine was caused by a couple of things, running Drupal and my app in the same browser causing all kinds or cookie conflicts and when passing parameters to my function that computes my request, if there were any parameters that were not used it breaks.
Hope this helps someone.
I am having a hard time making CSRF Guard to work on Ajax Requests in my Grails Application. I already added the Javascript Servlet in the page and followed instructions in their website. The problem is that it kept on saying that I have missing token. Aside from that, our Ajax request is not inside a form which I would assume that CSRF would look for forms and auto-inject the token for Ajax POST requests. I just merely get each parameters and pass it as data in my Ajax POST request.
You should try with the pattern outlined by the author of this question Grails - Is there a recommended way of dealing with CSRF attacks in AJAX forms?
Do I need to use csrf tokens in my ajax requests?
I think that someone tricking my users to execute malicious ajax requests from another site, to my site, will fail because of the origin policy, which is handled by the browser, am I right?
I don't care about duplicated requests when using ajax, I'm only asking about the attacks.
Am I at risk if I don't use csrf in my ajax requests?
As per my research,
We can reduce the vulnerability by using POST request(for the request which will take side affect). But thing is that we can forge the POST request as well with form submission, cause same origin policy will not applies plain html for submissions. But it applies to request which are getting generated with JS.
So if you use ajax POST request and you are safe if you are using JSON payload.
Cause url encoded payload(POST request) can be forged with form submission from other sites.
If you use JSON, as it is not possible to send plain text pay load(with out urlform encoded) with html form submission you are safe. Because with ajax POST request if you use urlform encoded data payload it can be forged with POST form submission.
This is how we solved the problem with CSRF token in Ajax requests
http://mylifewithjava.blogspot.com/2010/11/implicit-csrf-protection-of-ajax_22.html
The fact that you are using Ajax doesn't mean that others have to as well. Your server won't be able to distinguish a request made by XHR from one made by <form> submission. (Yes XHR usually adds a header identifying itself, but this is not hard to spoof.)
So yes, you do need to consider CSRF attacks.
Edit
Django have a POC, which is why they and Ruby on Rails now implement CSRF protection on AJAX requests.
Once again, please check your facts before downvoting, and explain what the downvote is for.