Answer the question
In order to leave comments, you need to log in
What to do with CSRF on AJAX requests?
The CSRF is generated on the server and displayed on the page as a hidden input field.
The user fills out the form and sends it to the server. The PHP script compares the csrf label with the one in the session - everything is OK, we execute the request, we return the result.
The main thing is that the response returns to the page without reloading it with the backend, which means that the csrf label remains the same, which means that now, until the session ends, you can send any number of requests and all of them will be executed.
How to avoid it?
Answer the question
In order to leave comments, you need to log in
Literally just solved the same problem, inserted sending/receiving a "label" into the main AJAX request handler (general code that handles all site requests). We send/receive in HTTP headers. Don't forget to add a title X-Requested-With: XMLHttpRequest
. It is not necessary to store the label in a hidden field. Depending on the stack - either a global variable, or a redux store, or an angular service.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question