javascript - Many AJAX requests at once with CSRF protection -

hi everybody.

my web application based on asynchronous requests. timer widget working , updating it's status every second ajax (yes, necessary).

i sending each ajax csrf tokens:

project_data.append(csrf_name_key,csrf_name_value); project_data.append(csrf_value_key,csrf_value_value); 

and in response updating global variables:

function setcsrf(response) {     csrf_name_key = response.namekey;     csrf_name_value = response.name;     csrf_value_key = response.valuekey;     csrf_value_value = response.value;       } 

everything fine. if ajax example when change task in todo list "done" ending error because sending ajax before getting new tokens previous request.

i don't know how solve problem. first idea make "like stack array" 5 different tokens 1 https request = 1 pair of tokens , can't generate it.

maybe type of queue of ajax requests, doing them in right time - don't know.

my actual pseudo-solution "if failed try again max 10 times":

if(e.target.response=="failed csrf check!") {     if(failedajax<10) checkforsurvey();     failedajax++;     return; } 

it working, errors appears in console , dirty solution.

i using slim 3 microframework csrf extension. please interesting problem.

i thankful,

arthur

there options you:

1. use stack of csrf-tokens inside javascript code

2. use csrf token can used more once (not secure)

3. use queue request

a stack tokens

the slim-csrf-middleware provides functionallity you, generate these tokens, need them clientside. api getting 5 csrf tokens, api consume on csrf-token.

add api , generate tokens there.

$app->get('/foo', function ($request, $response, $args) {     // check valid  csrf token      $tokens = [];     ($i = 0; $i < 5; $i++) {         $tokens[] = $this->csrf->generatetoken();     }      return $response->withjson($tokens); }); 

now csrf-token valid through whole user session.

guard::generatetoken() returns this:

array (size=2)   'csrf_name' => string 'csrf58e669ff70da0' (length=17)   'csrf_value' => string '52ac7689d3c6ea5d01889d711018f058' (length=32) 

a multi-use csrf-token

for that, slim-csrf provides functionallity token persistance mode. can enabled through constructor or guard::setpersistenttokenmode(bool) method. in example, i'm doing method:

$container['csrf'] = function ($c) {     $guard = new \slim\csrf\guard;     $guard->setpersistenttokenmode(true);     return $guard; }; 

here phpdoc persistancetokenmode-attribute

/**  * determines whether or not should persist token throughout duration of user's session.  *  * security, slim-csrf *always* reset token if there validation error.  * @var bool true use same token throughout session (unless there validation error),  * false new token each request.  */ 

a queue ajax requests.

add queue request, delay execution of request there valid csrf token.

this should seen pseudocode havn't tested yet.

var requestqueue = []; var isinrequest = false;  var csrfkey = ''; // should set on page load, have valid token @ start var csrfvalue = '';  function newrequest(onsuccesscallback, data) { // add parameters need     // add request queue     requestqueue.push(function() {         isinrequest = true;         // add csrf stuff data         $.ajax({             data: xxx             url: "serverscript.xxx",             success: function(data) {                 // update csrfkey & csrfvalue                 isinrequest = false;                 tryexecutenextrequest(); // try execute next request                 onsuccesscallback(data); // proceed received data             }         }});     );     tryexecutenextrequest(); }  function tryexecutenextrequest() {     if(!isinrequest && requestqueue.length != 0) { // no request running &         var nextrequest = requestqueue.shift();         nextrequest(); // execute next request     } }