Hi
I have a problem with eajaxupload
http://www.yiiframework.com/extension/eajaxupload
when the config/main.php ‘enableCsrfValidation’ is set to true the uploader not working and display to me CSRF token could not be verified, with false works fine but I don’t want to have security risks
How to solve it?
Thanks.
Anyone please?
I don’t know that extension, but i’ve had similar issues with CSRF protection. With that enabled, each POST form needs a hidden field, which contains the CSRF token of that user. Yii automatically adds that to every form, as long as you create the <form> tag with CHtml::form() (or any derivate, e.g. through CActiveForm). Also make sure, that you don’t cache such a form, because you would cache the CSRF token of the first user who hits the cold cache.
So maybe you want to have a look at the extensions source to verify one of the above problems.
Have you read this article. It says about swfupload extension, based on Flash, that causes the same problems. If your AJAXUploader is based on Flash as well, source of your problem can be the same.
I don’t know if your problem still exists nine months since posting question (probably not), but I wrote this for other users reference.
Have a look at this forum thread with a custom HttpRequest class. When uploading a file using that extension POST contains only the file contents and CSRF gets moved into GET. You need to allow some actions to read CSRF token from GET, not only POST.