Codeigniter Ajax Forbidden

Question

I'm so confusing of this forbidden issue. First of all I checked related stackoverflow posts and googled enough but still have no idea.

Project Details:

- Currently used libraries:
    1. Carabiner (https://github.com/bcit-ci/CodeIgniter/wiki)
    2. Template (https://github.com/jenssegers/codeigniter-template-library)
    3. hmvc
    3. instagram_api 

- CSRF Protection turned on (I don't want false the protection)

- Followed main posts
    1. https://stackoverflow.com/questions/40225908/ajax-post-not-working-codeigniter
    2. https://stackoverflow.com/questions/22527412/403-forbidden-access-to-codeigniter-controller-from-ajax-request

- ISSUE: 403 Forbidden ("The action you have requested is not allowed.")

HTML

instagram.php

form_open() function generates hidden field for access token and it is included in ajax posting data.

<input type="hidden" name="csrf_token_localhost" value="3f5887fd41ac4eaa9b558afa7cb4a6de">

...
<?php echo form_open('admin/getInstagramAccessToken', array('id' => 'instagram_settings', 'class' => 'form-horizontal row-border')); ?>
...
    <div class="col-sm-8 col-sm-offset-2">
        <?php  echo form_submit('submit', 'Get my access token', ['class' => 'btn-primary btn btn-get-token']); ?>
    </div>
...
<?php echo form_close(); ?>

Javascript

adminscript.js

$('#instagram_settings').submit(function( event ) {
    var posting_data = $( this ).serializeArray();
    event.preventDefault();
    
    $.ajax({
        type: 'POST',
        dataType: 'json',
        async: true,
        cache: false,
        data: posting_data,
        url: 'admin/getInstagramAccessToken',
        success: function(json) {

            try{
                console.log(json);
            }catch(e) {
                console.log('Exception while request..');
            }

        },
        error: function(jqXHR, textStatus, errorThrown) {
            console.log(jqXHR, textStatus, errorThrown);
        },
        complete: function() {
            console.log('ajax complete');
        }
    })

Controller

Admin.php

public function getInstagramAccessToken() 
{
    if ($this->input->is_ajax_request()) 
    {
        $response['status'] = 'success';
        echo json_encode($response);
    }
    else
    {
        // if the request if not ajax then show 404 error page
        show_404();
    }
    
}

When I make the csrf protection status false they all work fine. Or when I changed the post type from "post" to "get". But I want to keep the status true and using "post" method.

Dropbox link for two images:

1. Hidden csrf token field after form load

2. Posting Datas

https://www.dropbox.com/sh/e93ubgwzv9zir5j/AAA6vf5IWc1m7rtpGWGCpub4a?dl=0

Answer 1

You can by pass this issue by sending the CSRF token with your AJAX request. This is occurring because you have put CSRF protection in 'ON' mode. This can be bypassed only if you sent the request through GET or explicitly put CSRF 'OFF', which of course is not advised.

So the solution is to include the CSRF token in your AJAX requests.

Read this post, to know more about putting CSRF tokens on AJAX requests.

EDIT: Ideally, you shoud send the CSRF token through your data option in ajax requests. Check this link for more info

Answer 2

Please add this snippet in your every form which have type POST.

             <?php  $csrf = array(
            'name' => $this->security->get_csrf_token_name(),
            'hash' => $this->security->get_csrf_hash()
             ); ?>   
              <input type="hidden" name="<?php echo $csrf['name']; ?>" 
              value="<?php echo$csrf['hash']; ?>" />