Invalid token csrf

Invalid token csrf

klermannklermann Posts: 277Questions: 67Answers: 1

Hello allan, my server is refusing a persistence of the object you are trying to send, why is it refusing CSRF TOKEN, stating that it is invalid. How should I proceed?
I tried:
var header = $("meta[name='_csrf_header']").attr("content");
var token = $("meta[name='_csrf']").attr("content");
headers: { "X-CSRF-TOKEN": token, "X-CSRF-HEADER": header },

and tried:
headers: { "X-CSRF-TOKEN": token },

This question has an accepted answers - jump to answer

Answers

  • allanallan Posts: 63,464Questions: 1Answers: 10,466 Site admin

    I'm afraid I don't know what your server is expecting, so I can't honestly say what should be done on the client-side. I also don't know what code you are using on the client-side and where you are attempting to add that headers tag. I would need more information to be able to offer any help.

    Allan

  • klermannklermann Posts: 277Questions: 67Answers: 1

    Usually my server waits for the Token within the form. When we construct a standard form the security token by default needs to be added inside the form. Do you have any tips or hints on how I can do this?

  • rduncecbrduncecb Posts: 125Questions: 2Answers: 28

    @klermann, does your CSRF token change or is it consistent across your 'session'?
    Changing CSRF tokens can be a pain if you're making async requests because a token can be invalidated by being used by another call.
    If the token is constant an easy way to get a token into datatables/editor calls is to set it in $.ajaxSetup, the example below reads the token from a cookie and adds it to the ajax setup so all ajax calls send the token as a header, this includes ajax calls made by datatables and editor:

    $.ajaxSetup({
        headers: { "X-XSRF-TOKEN": getCookie("XSRF-TOKEN") },
    });
    
  • klermannklermann Posts: 277Questions: 67Answers: 1

    Hello rduncecb. My CSRF token, is random, random. I think this example would not fit my application!

  • rduncecbrduncecb Posts: 125Questions: 2Answers: 28

    The token itself may be random but there must be a defined lifecycle for the way it is issued and acts. It must be defined somewhere so you know when it is created, if it is changes for each request or is constant across a session etc. You need to know this so you can understand how you can work with it.

  • klermannklermann Posts: 277Questions: 67Answers: 1

    In my case, it can be passed as a hidden field, but the question how do I create an input of type CSRF Token in the editor to send it to the server?

  • rduncecbrduncecb Posts: 125Questions: 2Answers: 28

    There's not going to be a CSRF input field type, it's likely it's just going to be an alpha numeric string so add it as a hidden field and populate it with the token string from$("meta[name='_csrf']").attr("content") much like the example on https://editor.datatables.net/reference/field/hidden
    Still, I would suggest learning more about the lifecycle and use of your CSRF token as there may be better solutions.

  • allanallan Posts: 63,464Questions: 1Answers: 10,466 Site admin
    Answer ✓

    Using the headers option of ajax as an object is the normal way of doing this. If that isn't working for you, we'd need a link to a test case showing the issue.

    Allan

  • klermannklermann Posts: 277Questions: 67Answers: 1

    Solved here!

This discussion has been closed.