Here is how I add the csrf to the form
$this->addElement('hash', 'csrf', array('ignore' => false));
When this happens the session is created, Then when the user sends an ajax request, the values in the request are validated by creating an instance of the form, and the form is always valid for the first ajax request since the beginning of initial request which created the html output,
When the ajax request has been sent for the second time something different happens,
That instance of the form has a different csrf value than the originally made one, and when my code is done, the originally created session is destroyed as well, so there is no session to check the received the values against, and hence the form doesn't validated and the following error occurs.
No token was provided to match against
Any ideas at which event, the csrf values of the form are automatically stored in the session?
The hash value is generated at render time and invalidated after the each request.
If you want to continue using Zend_Form_Element_Hash in your AJAX form where the form may submit several times, your AJAX response should include the new hash value. Upon receiving the response, you should update the form data.
There s a solution without any to render in the view : Totaly ajax !
How to use Zend Framework Form Hash (token) with AJAX
Related
When I add things to the Session with Session::put() in my controller action, then that data is not available in my view, with Session::get() when doing AJAX request.
The same problem goes for the Former package, which I use for nice form building. It relies on passing some info via the Session, which is used to mark fields as valid/invalid. This functionality is also not working when using AJAX.
I set a view like always, in my View:
$this->layout->content = View::make('account.login')
For AJAX requests, I do NOT render the normal way with layout, but instead get the specific "content" section of the template and return it:
$this->layout->content->renderSections()['content']
When I do a "normal" request, then Session data works fine.
When I do an AJAX request, then Session data set in the controller DURING the AJAX call is ignored. Any Session data set BEFORE the AJAX call is available.
I'm wondering if Laravel has some issue with Session under AJAX calls, or with the the "renderSection()" method above?
I have checked all the obvious problems:
AJAX request uses the same session ID as non-AJAX request.
GET/POST verbs are used correctly etc.
Replicate:
In CONTROLLER action: Session:put('foo','bar');
In VIEW file (in the content part): Session:put('foo2','bar2');
In VIEW file (in the content part): var_dump(Session::get('foo','bar')); // Returns 'bar' in non-AJAX calls, but returns nothing for AJAX calls (!!!)
In VIEW file (in the content part): var_dump(Session::get('foo2')); // Returns 'bar2' in both AJAX and non-AJAX calls as expected.
It seems like the Session values set in the controller action ARE LOST when it renders the view. Therefore my question if this is 1) an AJAX vs. SESSION issue in Laravel, or 2) an Session vs. renderElement() problem that I am not aware of?
I had the same problem and just found a potential solution:
I found a similar problem relating to laravel 3. For the session to persist in an ajax call you need to return the response correctly.
return json_encode($response);
This is causing the problem. It's not it appears a valid response to enable the session to persist. Change it to:
return Response::json($response);
This enables the session to persist!
For some reason a normal form submit or call to the method allows the first one but ajax does not.
I've seen references elsewhere about echo statements in the method affecting the session - the return I suppose must behaving similar to an echo
This is the post that triggered the solution:
http://forumsarchive.laravel.io/viewtopic.php?id=1304
I am experimenting with PHP's use_trans_sid.
I set use_trans_sid to 1.
With that, PHP will propagate session id to urls and forms.
In my case, I have ajax requests. Each request being sent to a controller (Yii controller). The controller will respond in json objects.
If the json object contain a form, PHP will insert a hidden variable (input type hidden). Somehow, this insertion interfering the ajax request, it causes the ajax request to fail.
Is there a way to make ajax request success with such insertion?
CodeIgniter gives an error "The action you have requested is not allowed." when it fails the check for CSRF. As I understand it, this means the POST is missing the hidden token from the form that proves that an attack is not being done.
The token is generated automatically with a call to the CI form_open function.
In my case, I'm using Knockout to post the contents of a ViewModel for saving, like this:
ko.utils.postJson($("form")[0], self.pages);
I've found solutions elsewhere that simply turn off the CSRF setting for the specific page, but that doesn't seem like a good solution.
Presumably because the token is not being received, the postJson call is not submitting the existing form. Is there a way to either submit the required token along with the JSON data or submit the JSON data with the existing form?
try to use form_open() and form_close
all form helper functions that will help.
or: I think it's from time zone difference as the Security class depends on time for hashing.
I am looking to better understand the typical approach to form validation with AJAX.
I have found some information on this approach but it is hard sometimes to decipher what is the standard practice and what is a hack.
In my scenario, which is a common one, I have a dynamic form that the user submits and I want to ensure that the form input is valid. If the form input does not pass validation, I want to re-display the form with the input submitted and display an error message.
From what I have read, it appears the best practice approach is to perform an AJAX POST on submit, essentially posting the entire form. The server processes the AJAX post validating the posted items, and if all the items are valid, they are operated on (updates, inserts, etc to database). Finally, the AJAX response returns the validation result. If the validation result indicates success, a simple redirect occurs (the form is not re-posted since the form input was already processed and committed to the DB in the AJAX request). If the validation result indicates an error, the error is displayed and the redirect does not occur.
Is this the correct approach?
Should the form input be processed during the AJAX POST, leaving just a redirect on the callback, or is it best to process the form input after the callback by re-posting the form?
It doesn't make sense to me to re-post the form. In that case, I would think you'd have to validate the data twice for security reasons...both on the AJAX post and the re-post.
It is also possible I missed an even better, more standard approach. Thanks.
I would like to validate both single field and multiple field data from a CakePHP form.
The single field validation should be done on blur from each field while the multiple field validation should be done on submitting the form.
I would like to use the $validate property declared in the Model for validating data and I would like to display the errors near each field (single field validation) and on top of the form (for multiple field validation).
My main goal is to achieve this the most "caky" way (if there is one for validating data with jQuery). I couldn't find any useful advice out there and I'm asking you for some help to get this going.
One of my concerns is how shall I pass data from the form to jQuery and then to the action that does the validation and also how shall I return and display the errors, if there are any.
Thank you in advance!
I'd suggest first making sure everything works without jQuery, then use the jQuery Form plugin to submit your forms via AJAX. If you include the RequestHandler component in your AppController, you should find that your controllers distinguish automatically between AJAX and synchronous requests.
OK, so I coded my own solution to this, but I am still waiting for a more "caky" approach.
I made two generic jQuery functions, one for single field validation and one for multiple field validation. The function should grab the data from the specified form and send it to the form's action via AJAX, to a specially created controller method which will attempt to validate data and output an AJAX response ("" for validation has passed and errors for errors in validation). Then, the result is checked in the jQuery function and the default form behaviour is triggered only if the validation has passed. Otherwise, display the errors and return false; to prevent default submission.