Answer the question
In order to leave comments, you need to log in
B
B
BonBon Slick2018-08-16 19:06:04
BonBon Slick, 2018-08-16 19:06:04
CSRF invalid if ajax?
<meta name="csrf-token" content="{{ csrf_token('default') }}">
...
$.ajax({
url: deleteRoute,
beforeSend: function(xhr) {
xhr.setRequestHeader('X-CSRF-Token', $('meta[name="csrf-token"]').attr('content'))
},
type: 'POST',
data: {
"_method": 'DELETE',
},
...
public function delete(Request $request, string $uuid) : RedirectResponse
{
$csrfToken = $request->request->get('csrf_token') ?? $request->headers->get('X-CSRF-Token');
dump($csrfToken); // пример bIGomIbrDFPW6hhmbX2TNdcYBNEJONjbgeRpvti6QoE
$validateToken =
$this->csrfTokenManager->isTokenValid(
new CsrfToken(
'default',
$csrfToken
)
);
dump($validateToken); // всегда false
die;False because there is another token in the storage, for the same Id
CsrfTokenManager.php on line 74:
SessionTokenStorage {#275
-session: Session {#274
#storage: NativeSessionStorage {#273
#bags: array:2 [
"attributes" => SessionBagProxy {#265
-bag: AttributeBag {#267
-name: "attributes"
-storageKey: "_sf2_attributes"
#attributes: &1 array:5 [
"_csrf/https-delete" => "C7PapF_4VbhoJUOxtUeayZnosrF3cL27SMWRVn3QgOw"
"_security_admin_area" => .....
"_csrf/https-logout" => "_lvGpx7Gk2pMoFpLt-qqYTexEfzK7mCTzFxbNvO0qig"
"oldInput" => []
"_csrf/https-default" => "gWa95mnH89gofqR-WSs0PBRI8WEYpJ7b4erWF44R9Sk"
// должен быть для id default - bIGomIbrDFPW6hhmbX2TNdcYBNEJONjbgeRpvti6QoE
]And if in the usual form, then everything works, apparently the server generates another token for this ID when ajax comes.
Similar questions
A
Q
M
P
S
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question