javascript - Many AJAX requests at once with CSRF protection -
hi everybody.
my web application based on asynchronous requests. timer widget working , updating it's status every second ajax (yes, necessary).
i sending each ajax csrf tokens:
project_data.append(csrf_name_key,csrf_name_value); project_data.append(csrf_value_key,csrf_value_value); and in response updating global variables:
function setcsrf(response) { csrf_name_key = response.namekey; csrf_name_value = response.name; csrf_value_key = response.valuekey; csrf_value_value = response.value; } everything fine. if ajax example when change task in todo list "done" ending error because sending ajax before getting new tokens previous request.
i don't know how solve problem. first idea make "like stack array" 5 different tokens 1 https request = 1 pair of tokens , can't generate it.
maybe type of queue of ajax requests, doing them in right time - don't know.
my actual pseudo-solution "if failed try again max 10 times":
if(e.target.response=="failed csrf check!") { if(failedajax<10) checkforsurvey(); failedajax++; return; } it working, errors appears in console , dirty solution.
i using slim 3 microframework csrf extension. please interesting problem.
i thankful,
arthur
there options you:
use stack of csrf-tokens inside javascript code
use csrf token can used more once (not secure)
use queue request
a stack tokens
the slim-csrf-middleware provides functionallity you, generate these tokens, need them clientside. api getting 5 csrf tokens, api consume on csrf-token.
add api , generate tokens there.
$app->get('/foo', function ($request, $response, $args) { // check valid csrf token $tokens = []; ($i = 0; $i < 5; $i++) { $tokens[] = $this->csrf->generatetoken(); } return $response->withjson($tokens); }); now csrf-token valid through whole user session.
guard::generatetoken() returns this:
array (size=2) 'csrf_name' => string 'csrf58e669ff70da0' (length=17) 'csrf_value' => string '52ac7689d3c6ea5d01889d711018f058' (length=32) a multi-use csrf-token
for that, slim-csrf provides functionallity token persistance mode. can enabled through constructor or guard::setpersistenttokenmode(bool) method. in example, i'm doing method:
$container['csrf'] = function ($c) { $guard = new \slim\csrf\guard; $guard->setpersistenttokenmode(true); return $guard; }; here phpdoc persistancetokenmode-attribute
/** * determines whether or not should persist token throughout duration of user's session. * * security, slim-csrf *always* reset token if there validation error. * @var bool true use same token throughout session (unless there validation error), * false new token each request. */ a queue ajax requests.
add queue request, delay execution of request there valid csrf token.
this should seen pseudocode havn't tested yet.
var requestqueue = []; var isinrequest = false; var csrfkey = ''; // should set on page load, have valid token @ start var csrfvalue = ''; function newrequest(onsuccesscallback, data) { // add parameters need // add request queue requestqueue.push(function() { isinrequest = true; // add csrf stuff data $.ajax({ data: xxx url: "serverscript.xxx", success: function(data) { // update csrfkey & csrfvalue isinrequest = false; tryexecutenextrequest(); // try execute next request onsuccesscallback(data); // proceed received data } }}); ); tryexecutenextrequest(); } function tryexecutenextrequest() { if(!isinrequest && requestqueue.length != 0) { // no request running & var nextrequest = requestqueue.shift(); nextrequest(); // execute next request } }
Comments
Post a Comment