Codeigniter with jqGrid: use csrf_token

问题

If in config file I set csrf_token to false and everything works. However when csrf_token is true, my grid can only get data from database but not update or anything else.

I'm looking through the posts on this site about Сodeigniter+jqGrid but still haven't understand what should I do.

I can get the value of csrf_token but where it should be included?

var lastsel;  
var addl_params =
{
    ci_csrf: $.cookie('ci_csrf_token')
};

$("#grid").jqGrid({
    url:'url to script',
    datatype: "json",
    mtype: 'GET',
    colNames:['id', 'Nickname', 'Breed'],
    colModel:[
        {name:'id',index:'id', width:55, sortable:false, editable:false, 
            editoptions:{readonly:true,size:10}}, 
        {name:'nickname',index:'nickname', width:100,editable:true, 
            edittype:"text"},
        {name:'breed',index:'breed', width:100,editable:true, edittype:"text"},
    ],
    jsonReader : {
        root:"rows",
        page: "page",
        total: "totalpages",
        records: "records"
    },
    rowNum:10,
    rowList:[10,20,30],
    pager: jQuery('#gridpager'),
    sortname: 'nickname',
    viewrecords: true,
    sortorder: "asc",
    caption:"Cats",

    onSelectRow: function(id){
        if(id && id!==lastsel){
            jQuery('#grid').jqGrid('restoreRow',lastsel);
            jQuery('#grid').jqGrid('editRow',id,true,null, null);
            lastsel=id;
        }
    },
    editurl:"edit-url"
}).navGrid('#gridpager');

回答1:

First it's necessary to understand CSRF:

http://www.beheist.com/index.php/en/blog/csrf-protection-in-codeigniter-2-0-a-closer-look

From that post:

"The Security class generates a unique value for the CSRF token with each HTTP request. When the object is created, the name and value of the token are set."

What is possibly happening (I'm not familiar with jqGrid) is each form is possibly getting it's own CSRF token. Or, it's possible that there is only one token for all the forms. Either way, CodeIgniter expects one token per HTTP request and response. Basically, you need to close the loop on the first request to create the page, and the POST of the data.

Therefore, you may need to dig into the jqGrid code and the CI view to make sure that your output generates the CSRF token as desired.

Update: One of the comments on the blog above had a link to Ajax CSRF problems: http://aymsystems.com/ajax-csrf-protection-codeigniter-20

来源：https://stackoverflow.com/questions/10511521/codeigniter-with-jqgrid-use-csrf-token