Ajax CSRF 403 forbidden codeigniter

问题

Hello I am calling controller to get section using AJAX in my codeigniter based app which have CSRF Enable

my ajax code

    $('#classes').change(function(){  
  $classes=$(this).val();
            $.ajax({
             type:"POST",
             data:{
                 '<?php echo $this->security->get_csrf_token_name(); ?>' : '<?php echo $this->security->get_csrf_hash(); ?>',
                 'class':$classes
             },
             url:"<?php echo base_url();?>index.php/admin/getsection/"+$classes,
             success:function(return_data)
             {
                //alert(return_data);
                $('#section').html('');
                $('#section').html(return_data);
                $('#section').val(section);
             }
    });

When I Call ajax function first time, it will run perfect. but when i run the same function again, it will return 403 forbidden error.

Please advice what I do

回答1:

From the docs:

Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security, but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following config parameter

$config['csrf_regenerate'] = TRUE;

Set that to FALSE.

回答2:

ur controller should be like this 

 function reply(){       
        $insert = $this->Message_model->send_message2();
        $csrf = $this->security->get_csrf_hash();
if($this->input->is_ajax_request())
{
   header("Content-type: application/json; charset=utf-8");
echo json_encode(array("data" => $insert,'csrf'=> $csrf)); 
}




ur jquery should be this way

var token = data.csrf;

$.ajax({
    url: '/next/ajax/request/url',
    type: 'POST',
    data: { new_data: 'new data to send via post', csrf_token:token },
    cache: false,
    success: function(data, textStatus, jqXHR) {
        // Get new csrf token for next ajax post
        var new_csrf_token = data.csrf     
       //Do something with data returned from post request
    },
    error: function(jqXHR, textStatus, errorThrown) {
      // Handle errors here
      console.log('ERRORS: ' + textStatus + ' - ' + errorThrown );
    }
});

来源：https://stackoverflow.com/questions/32478355/ajax-csrf-403-forbidden-codeigniter