Send CSRF token with datatable ajax

Vitaliy

$('#invoices').dataTable({
                "searchHighlight": true,
                "order": [[ 0, "desc" ]],
                "serverSide": true,
                "ajax": {
                    type: "POST",
                    data:{
                         'request':'get_users_invoices',
                         'csrf_token':$('meta[name=csrf_token]').attr("content")
                    }, 
                    dataSrc: function ( json ) {
                        if(json.csrf_token !== undefined) $('meta[name=csrf_token]').attr("content", json.csrf_token); 
                        return json.data;
                    }
                    }
                .....................

When the page is loaded, the table works (token send successfully), the new token comes in the answer, but upon transition to other page, a token isn't sent, it seems to me at change of the page ajax doesn't sent

Vitaliy

if remove check of CSRF on the server side, the table works perfectly

allan

Can you link to the page showing the issue please.

Allan

Vitaliy

sorry but i I work on localhost

server-side part

if(isset($_POST['request']) && $_POST['request'] == "get_users_invoices" && MAIN::check_csrf_token(isset($_POST['csrf_token'])?$_POST['csrf_token']:NULL)) {
    INVOICES::get_user_invoices(isset($_SESSION['u'])?$_SESSION['u']:NULL); 
}

class

$columns = array(
           array( 'db' => 'id', 'dt' => 0 ),
           array( 'db' => 'payment_description',  'dt' => 1 ),
           array( 'db' => 'payment_status',   'dt' => 2 ),
           array( 'db' => 'id',   'dt' => 3 ),
        );

        return MAIN::json_answer(SSP::simple( $_POST, array('user' => DB, 'pass' => DB, 'db'   => DB, 'host' => DB), 'invoices', 'id', $columns, "user_id='$user_id'"), 'csrf_token');

Vitaliy

CSRF system works perfectly and where a problem I found but how to solve I don't know

SUCCESS: get: d2458862462e1667f8420de7a2e53b8f | correct: d2458862462e1667f8420de7a2e53b8f
Error: get (and already old): d2458862462e1667f8420de7a2e53b8f | correct: 78f0831d66a0ce52999b44d94603b357

At change of the page using previous request, with an old key which is already not present, but a code of

 $('meta[name=csrf_token]').attr("content")

is used, receives a right key

Vitaliy

perhaps the request is cached?

this CSRF system perfectly works with other ajax based functions, but i have problem only with datatables

Vitaliy

https://datatables.net/examples/server_side/pipeline.html

I think its my problem but how to solve I don't know)

allan

Oh you are using pipelining? That wasn't clear from your original post.

If so you need to modify the pipeline code, where it makes the $.ajax call to include your token.

Allan

Vitaliy

Now i dont use it, but:
I found the solution, instead of regular request, I decided to use a full caching of all pages. And the last question, than badly full caching (what number of records is maximum)?

Vitaliy

my original problem(im still interested in it)
first request, request with next params:

var token = 1111;
data:{ 'request':'get_users_invoices', 'csrf_token':1111},

success response
second page, second response

var token = 2222;
data:{ 'request':'get_users_invoices', 'csrf_token': 1111},

error response, token = 2222, but in sended request csrf_token = 1111
and i cant understand why ;(

allan

Without a test case, I'm afraid there is very little that is can do to offer any help.

All I can say is that the code above will send 1111 as the csrf token, since that is the value assigned to that parameter.

Allan