The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.1.2-1ubuntu2.14 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/showthread.php 28 require_once





× This forum is read only. As of July 23, 2019, the UserSpice forums have been closed. To receive support, please join our Discord by clicking here. Thank you!

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Multiple Forms
#11
I've tried the token in head you suggested but no dice, get "token does not match" the problem is the token is generated on page load so will still generate in the header, back to drawing board, prob will ajaxify all pages which should resolve that, done one page with 2 forms, just have to try remember how to refresh page content without reload lol
  Reply
#12
Here is the code I use in my header:

Code:
// CSRF check
Code:
if (!empty($_POST)) {
Code:
$tokenPost = Input::sanitize($_POST['csrf']);
Code:
if (!Token::check($tokenPost)) {
Code:
$userPermissions->addAudit($pathToCheck); // This line goes with my custom permissions class and adds a new line to the audit table for the tomfoolery page
Code:
Redirect::to('csrf.php'); // a custom 'try again without a page refresh' notification page
Code:
die();
Code:
}
Code:
}
Code:
$token = Token::generate();

From here I use echo $token into all my page forms.
  Reply
#13
argh ok, well I've created a new CSRF Protect class with session storage, i can confirm with 4 forms on a page no more "token not valid" issues, same token per session.

we drop it into classes, will need requiring from init if autoload not present.

we instantiate with:

Code:
$csrf = new CSRF_Protect();

we automatically insert hidden form field using this in the form:

Code:
<?php $csrf->echoInputField();?>

then we check its valid in our php, so after
Code:
if(!empty($_POST['copyright1'])){
we would do:

Code:
$csrf->verifyRequest();

hope thats helps some, find the class here: https://github.com/Firestorm-Graphics/CSRF-Protect
  Reply
#14
Thank you, @Firestorm, for your code in GitHub. It was impossible for me to get the Tokens work in AJAX callings. But your code works properly with AJAX.

I'm replacing the use of UserSpice Token class with your code to be able to combine AJAX and CSRF.

Thank you very much!
  Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)