Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
@Frederick CSRF codes can protect against some bots but very much against session hijacking through XSS vulnerabilities.
And yes also the thing you described! -
iexx697yEhh, using ajax with csrf tokens is usually pretty sketchy cuz u might overwrite a cookie during the ajax request. Try doing it with a full post? Unless ur form has to be submitted through ajax
-
@iexx Why would that be sketchy? And yeah I checked, the right session is being submitted (there's only one anyways)
-
@iexx True and it is setup to do that but ONLY with the index.php and I'm calling other php files
-
@CoffeeNcode It appeared to be a forgotten ajax call which called "nope" and that appearantly got directed to index.php :)
-
@PrivateGER just to add to the above, laravel has it too, in form of just putting a "@csrf" into your forms (in your template files) and also enforces them, by simply declining certain requests if theres no csrf
I'm losing my fucking mind right fucking here.
Setting an anti-csrf token in the index.php file ONCE. Yes, I triple trillion checked, only fucking once.
Print it to the page as test, fair enough, looks good.
Send an ajax request to the server:
AN ENTIRELY FUCKING DIFFERENT TOKEN 😡
Fucking hell.
rant
fuck off and die