What to do with CSRF on AJAX requests?

D

DrunkMaster2017-08-29 17:38:59

JavaScript

DrunkMaster, 2017-08-29 17:38:59

The CSRF is generated on the server and displayed on the page as a hidden input field.
The user fills out the form and sends it to the server. The PHP script compares the csrf label with the one in the session - everything is OK, we execute the request, we return the result.
The main thing is that the response returns to the page without reloading it with the backend, which means that the csrf label remains the same, which means that now, until the session ends, you can send any number of requests and all of them will be executed.
How to avoid it?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Andrei Smirnov, 2017-08-29
@pinebit

Literally just solved the same problem, inserted sending/receiving a "label" into the main AJAX request handler (general code that handles all site requests). We send/receive in HTTP headers. Don't forget to add a title X-Requested-With: XMLHttpRequest. It is not necessary to store the label in a hidden field. Depending on the stack - either a global variable, or a redux store, or an angular service.