So I planned to implement CSRF in my website and set what's needed which I think I set correctly but still having issue with ajax submit form.
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf_token_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = FALSE;
$config['csrf_exclude_uris'] = array();
This is what I have in my config, where I set $config['csrf_regenerate'] = FALSE; to prevent the regeneration on every submission (based on this discussion Ajax CSRF 403 forbidden codeigniter).
And my form, instead of using html form tag, I use form_open() and form_close().
Ajax submit form :
$('#formData').on('submit', function(e){
e.preventDefault();
var formData = new FormData($(this)[0]);
$.ajax({
type: 'post',
cache : false,
processData: false,
dataType: 'json',
url: 'example.com.sg/login/verify',
data: formData,
success: function (res) {
if(res.status == true){
window.location.href = res.redirect;
}
},
error: function(err){
console.log(err.responseText)
}
});
})
PHP function
public function verify(){
$this->form_validation
->set_rules('email', 'Email', 'trim|required|valid_email')
->set_rules('password', 'Password', 'trim|required');
if($this->form_validation->run() == true){
// do email and password verification
echo json_encode([ 'status' => true, 'redirect' => base_url('dashboard') ]);
} else {
$this->returnFormError($this->form_validation->error_array());
}
}
If I change the ajax type to get it works but not post. If viewing the code from console, my form has this csrf token included in hidden input.
