Codeigniter csrf token not in post array

1
votes

When posting a form with a csrf token, $this->input->post("csrf_token") is empty.

I could post a duplicate csrf_token using another field name. But that looks a bit unnecessary. Is there (another) way to get it?

__

All is done using AJAX. So first of all, a token must be requested, and is provided using a json template, populating it this way:

$data["json"] = array(
    "csrf_token" => $this->security->get_csrf_hash()
);

Using that token, a ajax POST request is done, sending user login, password. If ?debugis added to the request url, and the ENVIRONMENT is not production, the complete post request parameters are added to the json output. Like so:

if( !is_null($this->input->get("debug")) && ENVIRONMENT != 'production'){
    $debug = TRUE;
    $data["json"]["post"] = $this->input->post();
}

And I get:

"post": {
    "un": "test",
    "pw": "test"
}

Adding $data["json"]["old_token"] = $this->input->post("csrf_token");gives me "old_token": null

The Cross-site request forgery itself, works as expected: no token, wrong token or expired token gives an error. So Codigniter does receive the token as a supposed to. It seems to be removed from the post data.

1
codeigniterhttp-postcsrfcodeigniter-3
Did you tried ci_csrf_token instead of csrf_token?? - Indrasinh Bihola
I tried, but still null - Diederik

1 Answers

3
votes

After some poking around, I've found the answer. The security class removes the token from the POST array: unset($_POST[$this->_csrf_token_name]); (core/Security.php in csrf_verify() at line 234)

I won't change that line, to be sure the controller keeps functioning after updating Codeigniter.