Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
CodingJungle Posted October 10, 2020 Posted October 10, 2020 I'm updating one of my apps, and it has a ton of ajax request, and i've done this in the execute method of my controllers: if( Request::i()->requestMethod() !== 'GET'){ Session::i()->csrfCheck(); } as all my POSTs are for state changes and my GETs aren't (so basically any http request that isn't a GET will hit the csrfCheck). from my testing, it appears to be effective, or should i be putting the csrfCheck into each method of the controller that needs to check it?
Daniel F Posted October 10, 2020 Posted October 10, 2020 I guess it's fine, given it's only run in your own controllers where you're making sure to use POST requests for any state changes and any actions where data aren't just simply displayed to the user.
Solution Martin A. Posted October 10, 2020 Solution Posted October 10, 2020 But nothing here stops me from creating and sharing a regular URL for these methods, creating a GET request for it. So I'm gonna say you do need it in every method. Or you need all state changing methods in its own controller where you run the csrfCheck regardless of request method. CodingJungle 1
CodingJungle Posted October 10, 2020 Author Posted October 10, 2020 2 minutes ago, Martin A. said: But nothing here stops me from creating and sharing a regular URL for these methods, creating a GET request for it. good point
Recommended Posts