tags:

views:

1487

answers:

5
Q: 

CSRF attack detected when submitting data using ajax

Hi,

I'm trying to submit a form using jquery in symfony 1.4, but CSRF attack detected error pops up each time. This is the code i use to submit the form data:

$.ajax({
      type: 'post',
      cache: false,
      url: $('#assign-form form').attr('action'),
      data: (
        'activity[id]=' + $('#activity_id').val() +
        '&activity[_csrf_token]=' + $('#activity__csrf_token').val() +
        '&activity[assigned_to_user_id]=' + $('#activity_assigned_to_user_id').val() +
        '&activity[assigned_to_group_id]=' + $('#activity_assigned_to_group_id').val()
      )
});

Am i missing something?

Thanks, Radu.

A: 

One thing to look at is whether the Form object that is validating the input is the exact same class as the the one that generated the token. By default, the class is used in the generation of the CSRF token.

If, for example, you had an instance of a subclass of a form used to generate the form html and then you posted to an action that used the ancestor form class, the validation would most likely fail by default.

It's possible to override the token creation if it turns out this is your issue.

Also, have you verified that the value of the token field actually includes a token? A console.log() may help you discover this.

Um...as I look closer at your code, another thing to look at is that you're building a query string to pass in 'data'. Have you tried passing an actual JSON-style object instead?

Darryl H. Thomas  2010-02-05 22:08:59
The form class is the same. Never worked with JSON-style objects before... any articles i should read to get started?
Radu Dragomir  2010-02-06 16:00:04
By JSON-style objects, I simply mean use a JavaScript object to store key/value pairs. Ultimately $.ajax() will be converting this to a query string for you, but it can make things a bit more readable and easier to extend.Here's a pastie of what the code above might look like when using a JSON-style object:http://pastie.org/812536Tons of articles regarding JSON out there, but I'm not sure of a definitive one to suggest. To familiarize yourself with JSON concepts, however, the best place to start is http://json.org/Cheers.
Darryl H. Thomas  2010-02-06 17:57:10
A: 

Usual cause is that the browser is not accepting cookies - have you checked that the cookies are being returned as expected (e.g. iehttpheaders, wireshark, tamperdata)?

Did you configure the secret in settings.yml?

C.

symcbean  2010-02-05 23:09:50
The browser is accepting cookies.Yes, the configuration in security.yml is:csrf_secret: 42f41325ba2c6809722d2b164f954f74c1b82fdb
Radu Dragomir  2010-02-06 15:54:39
A: 

This little issue has driven me mad in the past.

If it's acceptable to you to disable CSRF protection for this particular form (which it often can be), you can add the following to your Form class in /lib/form/... folder:

public function configure ()

  $this->disableLocalCSRFProtection();

I believe it's possible to disable CSRF for a particular instance of the form as well if you don't always wish to have it disabled, but I haven't tried this / don't have the code at hand.

Tom  2010-02-08 22:23:23
You can use the following code in your action to disable the CSRF protection for a particular instance of the form: $form = new MyForm(); $form->disableLocalCSRFProtection();
Radu Dragomir  2010-02-11 06:07:40
A: 

Does the session cookie really received it with ajax query ? your session cookie as returned by server should be exactly the same with a plain HTTP request (for instance the first request initiating session management) and with XMLHttpRequest, otherwise you'll get trouble with CSRF.

Benoit  2010-06-22 11:13:05
A: 

$('#activity__csrf_token').val()

Did you mean to have a double underscore in that element id?

jrizza  2010-09-16 21:02:45

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases