Hi
I am using a CSRF token generated by yii and save it to session .
I have overrided the HTTPRequest handler to validate the post token to the session token.
class HttpRequest extends CHttpRequest {
private $_csrfToken;
public function getCsrfToken()
{
if($this->_csrfToken===null)
{
$session = Yii::app()->session;
$csrfToken=$session->itemAt($this->csrfTokenName);
if($csrfToken===null)
{
$csrfToken = sha1(uniqid(mt_rand(),true));
$session->add($this->csrfTokenName, $csrfToken);
}
$this->_csrfToken = $csrfToken;
}
return $this->_csrfToken;
}
public function validateCsrfToken($event)
{
if($this->getIsPostRequest())
{
// only validate POST requests
$session=Yii::app()->session;
if($session->contains($this->csrfTokenName) && isset($_POST[$this->csrfTokenName]))
{
$tokenFromSession=$session->itemAt($this->csrfTokenName);
$tokenFromPost=$_POST[$this->csrfTokenName];
echo $valid=$tokenFromSession===$tokenFromPost;
}
else
$valid=false;
if(!$valid)
throw new CHttpException(400,Yii::t('yii','The CSRF token could not be verified.'));
}
}
}
and have also add the token to Ajax request as parameter like this…
$('#link').click(function() {
var token=$('input[name="YII_CSRF_TOKEN"]').val();
//alert("here");
//console.log("here");
$.ajax({
data:{YII_CSRF_TOKEN:token},
type: "POST",
url: "/home/xxxx"
}).done(function( msg ) {
console.log("notification no. reset");
$("#notification_no").html(msg);
});
});
My login form is like this
<?php
$form = $this->beginWidget('CActiveForm', array(
'id' => 'login-form', 'action' => $this->createUrl(Yii::app()->homeUrl . 'user/login'),
'enableAjaxValidation' => true,
'enableClientValidation' => false,
'clientOptions' => array(
'validateOnSubmit' => true,
),
));
?>
<?php $model = new LoginForm; ?>
<?php echo $form->textField($model, 'username', array('autocomplete'=>'off','value' => 'username')); ?>
<?php echo $form->error($model, 'username'); ?>
<?php echo $form->passwordField($model, 'password', array('autocomplete'=>'off','value' => 'password')); ?>
<?php echo $form->error($model, 'password'); ?>
<?php echo CHtml::submitButton('Login', array('class' => 'loginBtn')); ?>
And the config file settings is like this
'request'=>array(
'class' => 'application.components.HttpRequest',
'enableCsrfValidation'=>true,
'enableCookieValidation'=>true,
),
model rules are same as loginform.php model.
CASE 1
when config settings are
'request'=>array(
'class' => 'application.components.HttpRequest',
'enableCsrfValidation'=>false,
'enableCookieValidation'=>true,
),
the auto ajax validation on my login form work perfectly and submits the form.
CASE 2
'request'=>array(
'class' => 'application.components.HttpRequest',
'enableCsrfValidation'=>true,
'enableCookieValidation'=>true,
),
when i entered wrong username and password i do not get any error notification on my form however i do get a response checked through firebug console.
1{"LoginForm_password":["Incorrect username or password."]}, here 1 means csrf token is validated
when i submit correct username and password i get the following resposne in firebug console
1[], again 1 is for verified csrf token with no error
in both the cases above, my form stops and do not gets submitted. to pass the post action.
so this means that ajax validation is working but error messages are not getting displayed on the form.
second the form is not getting submitted when there is no error.
any help would be greatly appreciated.
Thanks