I wanted to use the security token to protect an ajax request.
So I submitted the token with the ajax post request from a vbulletin page to my custom page.

<script type="text/javascript"><!--
$(document).ready(function(){

$("#nudge_icon").click(function(){
$.ajax({
url: '/nudge.php',
type: 'POST',
async: true,
dataType: 'text',
data: ({'from' : '$bbuserinfo[userid]',
'to' : '$userinfo[userid]',
'securitytoken':'$bbuserinfo[securitytoken]'}),
success: function(data) {
alert(data);
},
error: function(data) {
alert(data);
}
});
});

});//-->
</script>


In that custom page (nudge.php), I have included the global.php to load the users details.
And I defined CSRF_PROTECTION as true (don't know if that is even necessary).

I then make a comparison like this:
if ($vbulletin->userinfo['securitytoken'] != $_POST['securitytoken'])
{
// echo $vbulletin->userinfo['securitytoken'] ."
// ". $_REQUEST['securitytoken'];

exit("error");
}


This is the part where the script fails. The security tokens never match.
I assume a new token is generated when the global.php is called?

How can I use a securitytoken check on an ajax request?

I don't understand security tokens, but I noticed that there's a function in includes/functions.php called verify_security_token(), and it seems to be called with $vbulletin->userinfo['securitytoken_raw'] as one of the parameters, so maybe you could use that function and/or use 'securitytoken_raw'.

Do you have any idea how can i can i made ajax request ?

If you use the function kh99 referenced it should be easy to do.

verify_security_token($_POST['securitytoken'], $userinfo['securitytoken_raw'])

should return true if it is a match, false if not.

All my AJAX requests in plugins never require me to manually check for CSRF. It's always done automatically.