– Added author note:
This assumes the latest version of CodeIgniter (2.0.2) but I assume this will work on any CI 2.x with CSRF. All the code edits are in the XAJAX to make it more compatible with CodeIgniter, so the only things to keep in mind for CodeIgniter is the following:
– what is the name of my ci_csrf_token
– how do i generate my csrf hash
– how do i get an instance of CI
If you can answer that for your version of CodeIgniter, you should be ok.
If you already have xajax installed as a library, you can skip to step 7.
1. download the latest version of xajax (or my version: 0.6-beta1)
2. move contents of xajax_core into application/libraries/xajax/
3. rename xajax.inc.php to Xajax.php (per CI library protocol)
4. change ~line 59 (final class xajax) to (final class Xajax) per CI library protocol (probably unnecessary)
5. put the xajax_js folder in /root/public/js/ folder. (location of my js files)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Now we will add XAJAX functionality while CSRF is enabled.
7. Find and open xajax/plugin_layer/xajaxDefaultIncludePlugin.inc.php in libraries/
a. Go to line 213 and add the following code:
1 2 3 4 5 6 7 8
< ?php // add ci_csrf_token to auto-generated script $CI =& get_instance(); echo $sCrLf; echo 'xajax.config.ci_csrf_token = "'; echo $CI->security->get_csrf_hash(); echo '";'; ?>
note: you could make it clean and add the variables and match it up like the previous options, but at the end of the day you’re just spreading the 5 lines of code around the script which will pain you when you get new xajax updates and have to do it again.
8. Find and open the xajax_core_uncompressed.js in xajax_js/
a. Go to line 3250 and add the following code after ‘delete dNow;
1 2 3 4 5 6 7 8 9
< ?php var csrf = xx.config.ci_csrf_token; rd.push('&ci_csrf_token='); rd.push(csrf); delete csrf; ?>
9. By default, if you are using the xajax_core.js, you will have to go to that file and make the change there but it is easier to know where you’re making the change if you look at the uncompressed version first. (you can download the changes in the compressed version below).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
That should do it. If you are having problems, you can add the debugger which I wish I knew about and probably would have saved me hours. Just paste the following code in your ‘head’ but after the xajax.
You should see the following in the popup window:
You can see how we added &ci_csrf_token to the request.
Now you will always have access to the CSRF token while using XAJAX without having to worry about reading/decrypting CI’s cookies in your XAJAX calls. It is all passed by adding the parameter directly. Of course, in the future, you will have to add the &ci_csrf_token in future updates (or rename it depending on the version of CI? I recall some versions use csrf_token_name from what I have read.)
Just another note, just because you aren’t using XAJAX, doesn’t mean this solution isn’t for you. The step is the same, it just looks different in XAJAX. Download the xajax script and look at what the rd.push() is doing, then you can manipulate your own request string. Or search for how to add parameters manually.
The code can be found here: (I included the code in the uncompressed version of xajax_core)
Hope that helps someone!