使用ajax提交数据时检测到CSRF攻击
我试图在 symfony 1.4 中使用 jquery 提交表单,但每次都会弹出 CSRF 攻击检测到的错误。这是我用来提交表单数据的代码:
$.ajax({
type: 'post',
cache: false,
url: $('#assign-form form').attr('action'),
data: (
'activity[id]=' + $('#activity_id').val() +
'&activity[_csrf_token]=' + $('#activity__csrf_token').val() +
'&activity[assigned_to_user_id]=' + $('#activity_assigned_to_user_id').val() +
'&activity[assigned_to_group_id]=' + $('#activity_assigned_to_group_id').val()
)
});
我错过了什么吗?
谢谢, 拉杜。
I'm trying to submit a form using jquery in symfony 1.4, but CSRF attack detected error pops up each time. This is the code i use to submit the form data:
$.ajax({
type: 'post',
cache: false,
url: $('#assign-form form').attr('action'),
data: (
'activity[id]=' + $('#activity_id').val() +
'&activity[_csrf_token]=' + $('#activity__csrf_token').val() +
'&activity[assigned_to_user_id]=' + $('#activity_assigned_to_user_id').val() +
'&activity[assigned_to_group_id]=' + $('#activity_assigned_to_group_id').val()
)
});
Am i missing something?
Thanks,
Radu.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
需要注意的一件事是验证输入的 Form 对象是否与生成令牌的类完全相同。默认情况下,该类用于生成 CSRF 令牌。
例如,如果您有一个用于生成表单 html 的表单子类实例,然后您发布到使用祖先表单类的操作,则默认情况下验证很可能会失败。
如果事实证明这是您的问题,则可以覆盖令牌创建。
另外,您是否已验证令牌字段的值是否确实包含令牌? console.log() 可以帮助您发现这一点。
嗯...当我仔细查看您的代码时,另一件事是您正在构建一个查询字符串来传递“数据”。您是否尝试过传递实际的 JSON 样式对象?
One thing to look at is whether the Form object that is validating the input is the exact same class as the the one that generated the token. By default, the class is used in the generation of the CSRF token.
If, for example, you had an instance of a subclass of a form used to generate the form html and then you posted to an action that used the ancestor form class, the validation would most likely fail by default.
It's possible to override the token creation if it turns out this is your issue.
Also, have you verified that the value of the token field actually includes a token? A console.log() may help you discover this.
Um...as I look closer at your code, another thing to look at is that you're building a query string to pass in 'data'. Have you tried passing an actual JSON-style object instead?
通常的原因是浏览器不接受 cookie - 您是否检查过 cookie 是否按预期返回(例如 iehttpheaders、wireshark、tamperdata)?
您是否在settings.yml中配置了秘密?
C.
Usual cause is that the browser is not accepting cookies - have you checked that the cookies are being returned as expected (e.g. iehttpheaders, wireshark, tamperdata)?
Did you configure the secret in settings.yml?
C.
这个小问题过去曾让我发疯。
如果您可以接受为此特定表单禁用 CSRF 保护(通常可以),您可以将以下内容添加到 /lib/form/... 文件夹中的 Form 类中:
我相信可以为某个表单禁用 CSRF如果您并不总是希望禁用它,那么也可以使用表单的特定实例,但我还没有尝试过这个/手头没有代码。
This little issue has driven me mad in the past.
If it's acceptable to you to disable CSRF protection for this particular form (which it often can be), you can add the following to your Form class in /lib/form/... folder:
I believe it's possible to disable CSRF for a particular instance of the form as well if you don't always wish to have it disabled, but I haven't tried this / don't have the code at hand.
会话cookie是否真的通过ajax查询收到了它?服务器返回的会话 cookie 应该与普通 HTTP 请求(例如启动会话管理的第一个请求)和 XMLHttpRequest 完全相同,否则您将遇到 CSRF 问题。
Does the session cookie really received it with ajax query ? your session cookie as returned by server should be exactly the same with a plain HTTP request (for instance the first request initiating session management) and with XMLHttpRequest, otherwise you'll get trouble with CSRF.
$('#activity__csrf_token').val()
您的意思是在该元素 id 中包含双下划线吗?
$('#activity__csrf_token').val()
Did you mean to have a double underscore in that element id?