vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   Using securitytoken to protect ajax requests (https://vborg.vbsupport.ru/showthread.php?t=261696)

squishi 04-09-2011 08:28 AM

Using securitytoken to protect ajax requests
 
I wanted to use the security token to protect an ajax request.
So I submitted the token with the ajax post request from a vbulletin page to my custom page.

HTML Code:

<script type="text/javascript"><!--
$(document).ready(function(){

        $("#nudge_icon").click(function(){
                $.ajax({
                        url: '/nudge.php',
                        type: 'POST',
                        async: true,
                        dataType: 'text',
                        data: ({'from'  : '$bbuserinfo[userid]',
                                'to'    : '$userinfo[userid]',
                                'securitytoken':'$bbuserinfo[securitytoken]'}),
                        success: function(data) {
                                alert(data);
                        },
                        error: function(data) {
                                alert(data);
                        }
                });
        });

});//-->

</script>

In that custom page (nudge.php), I have included the global.php to load the users details.
And I defined CSRF_PROTECTION as true (don't know if that is even necessary).

I then make a comparison like this:
PHP Code:

if ($vbulletin->userinfo['securitytoken'] != $_POST['securitytoken'])
{
//    echo $vbulletin->userinfo['securitytoken'] ."
//    ". $_REQUEST['securitytoken'];

    
exit("error");


This is the part where the script fails. The security tokens never match.
I assume a new token is generated when the global.php is called?

How can I use a securitytoken check on an ajax request?

kh99 04-10-2011 12:09 PM

I don't understand security tokens, but I noticed that there's a function in includes/functions.php called verify_security_token(), and it seems to be called with $vbulletin->userinfo['securitytoken_raw'] as one of the parameters, so maybe you could use that function and/or use 'securitytoken_raw'.

dd009 08-24-2011 06:06 AM

Do you have any idea how can i can i made ajax request ?

Neo_obs 11-14-2011 10:53 PM

If you use the function kh99 referenced it should be easy to do.

verify_security_token($_POST['securitytoken'], $userinfo['securitytoken_raw'])

should return true if it is a match, false if not.

Adrian Schneider 11-14-2011 11:10 PM

All my AJAX requests in plugins never require me to manually check for CSRF. It's always done automatically.


All times are GMT. The time now is 11:30 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01009 seconds
  • Memory Usage 1,722KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_html_printable
  • (1)bbcode_php_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (5)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete