Yii Framework Forum: Cross-site Request Forgery Prevention on Inside Requests - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Cross-site Request Forgery Prevention on Inside Requests Rate Topic: -----

#1 User is offline   thiagovidal 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 147
  • Joined: 17-February 10
  • Location:Brazil, São Paulo

Posted 01 July 2010 - 08:36 AM

Following this topic
http://www.yiiframew...gery-prevention
I enabled the Cross-site Request Forgery Prevention to secure my site.

congif/main.php

...
'components'=>array(
'request'=>array(
'enableCsrfValidation'=>true,
),
),
...

Now my javascripts doesn't work properly 'cause they send csrf via code to my controllers. What can I do to use this feature of the framework and get my javascripts working. I know the CHtml:form generates the correct values to send to the controller to prevent this. How can i get this working with get requests?
0

#2 User is offline   sergeymorkovkin 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 98
  • Joined: 15-December 08

Posted 15 July 2010 - 06:39 AM

View Postthiagovidal, on 01 July 2010 - 08:36 AM, said:

Following this topic
http://www.yiiframew...gery-prevention
I enabled the Cross-site Request Forgery Prevention to secure my site.

congif/main.php

...
'components'=>array(
'request'=>array(
'enableCsrfValidation'=>true,
),
),
...

Now my javascripts doesn't work properly 'cause they send csrf via code to my controllers. What can I do to use this feature of the framework and get my javascripts working. I know the CHtml:form generates the correct values to send to the controller to prevent this. How can i get this working with get requests?


Make your scripts send GET requests instead of POST. This will help.
On the other hand, if you need to post with JavaScript to controllers,
you will need too manually add CSRF token to your posted data. See
CHtml::beginForm for details.

Finally, if you have CSRF enabled and use a kind of service listning
for POST requests from other websites (for example, payment gateways),
you will need to override CHttpRequest and implement exclusions mechanism.
Pro web developer, open for new projects, click for portfolio.
0

#3 User is offline   thiagovidal 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 147
  • Joined: 17-February 10
  • Location:Brazil, São Paulo

Posted 15 July 2010 - 09:13 AM

View Postwaylex, on 15 July 2010 - 06:39 AM, said:

Make your scripts send GET requests instead of POST. This will help.
On the other hand, if you need to post with JavaScript to controllers,
you will need too manually add CSRF token to your posted data. See
CHtml::beginForm for details.

Finally, if you have CSRF enabled and use a kind of service listning
for POST requests from other websites (for example, payment gateways),
you will need to override CHttpRequest and implement exclusions mechanism.


Thanks dude. I got it working now.
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users