ajax login csrf key input change after submit

Question

my login .php

<?php
    require "../includes/nonce.php";// nonce tokens for forms not sessions
    ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html class="no-js" dir="rtl" lang="he-IL" xml:lang="he" xmlns="http://www.w3.org/1999/xhtml">
<head>

  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  <meta name="generator" content="editplus" />
  <meta name="author" content="" />
  <meta name="keywords" content="" />
  <meta name="description" content="" />
  <meta name="csrf-param" content="authenticity_token"/>
  <meta name="csrf-token" content="<?php echo ulNonce::Create('meta');?>"/>
    <title>finest  - מערכת ניהול</title>



    <link rel="stylesheet" href="stylelogin.css" type="text/css" />
    <script type="text/javascript" src="js/modernizr.custom.49650.js"></script>
    <script type="text/javascript" src="js/jquery-1.9.1.min.js"></script>
    <script type="text/javascript" src="js/jquery-ui-1.10.0.custom.min.js"></script>
    <!--for login hash pass-->
    <script type="text/javascript" src="secure/sha512.js"></script>


<script type="text/javascript">


$(document).ready(function() {

$('.inplaceError').each(
                function(i) {
                    $(this).focus(function(e){
                        $("#errorMessage").html("");
                    });
                }
            );

$('#container').fadeIn();

function sale() {
    $('#footer').fadeIn(200);
}

setTimeout(sale, 500);

});
</script>

<script type="text/javascript">

$(document).ready(function(){ 
$('form input:submit').bind('click', validLogin);

});

function validLogin(){

     if($.trim($("#password").val()) == '')
    {
        var p = '';
    }
    else
    {
        $("#p").val(   hex_sha512(  $("#password").val() ) );
        var p = $("#p").val();
    }

    var key = $('#key').val();
    var nonce = $('#nonce').val();
    var email = $.trim($('#email').val());

    var dataString = 'email='+ email + '&key='+ encodeURIComponent(key) + '&nonce='+ nonce + '&p='+ p;


     $.ajax({  
     url: "processed.php",
      type: "POST",  
      data: dataString,
      dataType:'json',
      cache: false,
      success: function(data)
      {  
               if(data.login == true) 
                {  
                    window.location = "index.php";

                }
                else
                  {
                 $("#siimage").trigger("click");
                 $("form input:submit").effect("shake", {times:2}, 100);
                 $("#errorMessage").html(data.message); 
                  get_nonce();
                  }




             if(data.cblocked == true)
             {
             $("#email").prop('disabled', true);
             $("#password").prop('disabled', true);
             $('input[type="submit"]').attr('disabled','disabled');
             document.getElementById("Submit").value = 'נעול';

             }
              if(data.csrf == true)
             {
             $("#email").prop('disabled', true);
             $("#password").prop('disabled', true);
             $('input[type="submit"]').attr('disabled','disabled');
             document.getElementById("Submit").value = 'נעול';

             }


      }
    });  
        return false;
} 

function get_nonce(){

        $.ajax({  
         url: "../includes/nonce.php",
          type: "POST", 
          dataType:'json',
          async: false,
          data: {ajax:"true"},
          success: function(response)
          {  

               $("#nonce").val(response.nonce);
               $("#key").val(response.key);
          }
        });
}

</script>

    </head>
    <body>
<!--[if lte IE 7]><script src="ie6/warning.js"></script><script>window.onload=function(){e("ie6/")}</script><![endif]-->


                     <?php
                      if($session->checkbruteGuest(ulUtils::GetRemoteIP(false), $func->mysqli) == true)
                      { 
                       $disabled = 'disabled';
                      } 
                       else
                      {
                       $disabled = '';
                      }

                     ?>
    <div id="wrapper" align="center">
        <div id="container" align="center">
        <?php if($session->admin_logged_in){
            header('location: index.php');
              }
              else
              {
            ?>
        <form accept-charset="UTF-8" action="#" method="post">
            <input type="hidden" id="p" name="p" value="">

            <?php $n->generateFormFields(); ?>

            <img style="position:absolute;float:left;top:53px;left:22px;" src="images/1369318943_secure-server-px-png.png" width="75" height="75" alt="" />

                <img style="float:right;position:absolute;left:310px;top:8px;" src="images/header-object.png" width="260" height="90" alt="" />
                <div class="login">ברוך הבא למערכת הניהול!</div>
                <div class="username-text">שם משתמש:</div>
                <div class="password-text">סיסמא:</div>
                <div class="username-field">
                    <input type="text" name="email" id="email" onclick="this.value='';" value="לדוגמא: a@test.com" class="inplaceError" <?php echo htmlentities(@$disabled);?>/>
                </div>
                <div class="password-field">
                    <input type="password" name="password" id="password" class="inplaceError" <?php echo htmlentities(@$disabled);?> onclick="this.value='';"/>     
                </div>



                <div id="errorMessage">
                <?php 
                     if($session->checkbruteGuest(ulUtils::GetRemoteIP(false), $func->mysqli) == true)
                      {
                       echo ucwords(htmlentities('ההתחברות נחסמה ל- 10 דקות עקב יותר מידי ניסיונות התחברות כושלים.')); 
                      }
                      ?>

                <img id="loader" src="images/ajax-loader.gif" width="16" height="16" />
                </div>
                <div class="forgot-usr-pwd">שכחת&nbsp;<a href="forgotuser.php">שם משתמש</a>&nbsp;או&nbsp;<a href="forgotpass.php">סיסמא</a>?</div>
                <?php
                 if($session->checkbruteGuest(ulUtils::GetRemoteIP(false), $func->mysqli) == true)
                      { 
                       echo '<input type="submit" id="Submit" name="Submit" value="נעול" disabled />';
                      } 
                 else
                      {
                       echo '<input type="submit" id="Submit" name="Submit" value="כניסה" />';
                      }
                ?>
            </form>
            <?php } ?>
        </div>

        </div>

<div id="footer">
            *בעת תקלה ניתן לשלוח מייל : ravgrg@gmail.com ,או להתקשר לאחראי האתר.
        </div>
    </body>
</html>

And the nonce.php:

<?php


class Nonce
{
  /**
   * How long in seconds the nonce will be good for. If you don't want the token to expire use -1.
   *
   * @var int
   **/

  protected $expire = 43200; // 12 Hours

  /**
   * A secret string that is hashed with a unique id and time. The longer
   * and more complex this is the better.
   *
   * @var string
   **/
  private $secret = "skldjfhsalkdjhfkwj3543soafsdnflasnhjkjk";

  /**
   * The hashing type used to create the nonce. 
   *
   * @var string
   **/
  protected $hash = 'sha256';

  /**
   * The amount of iternations done on a hash. This is done to enhance security. Larger 
   * numbers will be more secure but will increase the time needed to create the hash.
   *
   * @var int
   **/
  protected $iter = 100;

  /**
   * If true nonces will be stored in a database to ensure only one use.
   *
   * @var boolean
   **/
  protected $store = true;

  /**
   * The database username. Only used if $store is set to true.
   *
   * @var string
   **/
  private $db_user = "root";

  /**
   * The database password. Only used if $store is set to true.
   *
   * @var string
   **/
  private $db_pass = "";

  /**
   * The database name. Only used if $store is set to true.
   *
   * @var string
   **/
  private $db_name = "ibids";

  /**
   * The database table name. Only used if $store is set to true.
   *
   * @var string
   **/
  private $db_table = "all_nonce";

  /**
   * The database host. Only used if $store is set to true.
   *
   * @var string
   **/
  private $db_host = "127.0.0.1";

  /**
   * Is a PDO database handler object. Only used if $store is set to true.
   *
   * @var object
   **/
  protected $dbh;


  public function __construct()
  {



    if(!$this->secret) throw new Exception("You cannot leave \$secret blank. Please set it to a random string.");
    if(strlen($this->secret) < 32) throw new Exception("Your secret key should be at least 32 characters");
    $this->secret = hash('sha224', $this->secret);

    if($this->store){
      try{
        $this->dbh = new PDO('mysql:host=' . $this->db_host . ';dbname=' . $this->db_name, $this->db_user, $this->db_pass);
        $this->dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
      }catch (PDOException $e){
        throw new Exception($e);
      }
    }
  }


  /**
   * Checks the validity of a nonce. If valid (and $store is true) the nonce 
   * will become 'used' and invalid (meaning it cannot be used again).
   *
   * @param int $timestamp the time in the form of the unix epoch
   * @param float $uid a unique id created by php's uniqid() function (although this can technically be anything). 
   * @param string $content optional additional content supplied by the user. 
   * @param float $uid a unique id created by php's uniqid() function (although this can technically be anything). 
   * @return Boolean true on success or will throw exception on error.
   **/
  public function validateAndUseNonce($timestamp, $uid, $content = '', $nonce)
  {
    $hash = $this->getNonce($timestamp, $uid, $content, strlen($nonce));

    // Check to see if nonce has been used. Only checks if nonce's are being stored.
    if($this->store && $this->nonceExists($nonce)){
      throw new Exception("This form has already been submitted once.");
    }

    // Check to see if time has expired
    if($this->expire > -1){
      if(time() > $timestamp + $this->expire){
        throw new Exception("This form has expired. Please reload the page and try submitting again.");
      }
    }

    if($nonce == $hash){
      if($this->store) $this->storeNonce($nonce);
      return true;
    } else {
      throw new Exception("Invalid form request. Please try again.");
    }
  }

  /**
   * Creates a unique nonce string with an optional length. Max length is dependent upon hashing algorithm.
   * @param int $timestamp the time in the form of the unix epoch
   * @param float $uid a unique id. 
   * @param string $content optional additional content supplied by the user. 
   * @param int length optional the length of the returned nonce. Max Dependent upon hashing algorithm.
   * @return string the nonce.
   **/
  public function getNonce($timestamp, $uid, $content = '', $length = NULL)
  {
    global $site;
    $hash = hash($this->hash, $timestamp . $this->secret . $uid . $content);
    $i = 0;
    do{
      $hash = hash($this->hash, $hash);
      $i++;
    } while ($i < $this->iter);

    if($length){
      $hash = substr($hash, 0, $length);
    }

    return $hash;
  }

  /** 
   * Store the nonce in the database.
   * @param string $nonce
   * @return boolean true on success false on failure 
   **/
  private function storeNonce($nonce)
  { 
    $sql = "INSERT INTO " . $this->db_table . " (nonce) VALUES (:nonce)";
    $q = $this->dbh->prepare($sql);
    return $q->execute(array(":nonce" => $nonce));
  }

  /** 
   * Checks the existence of a nonce in a database
   * @param string $nonce
   * @return mixed boolean false if does not exist, or int 1 if it does 
   **/
  private function nonceExists($nonce)
  {
    if(!$this->store) throw new Exception("Cannot determine if this nonce has been used since \$store is set to false. Set \$store to true in order to track nonce usage.");

    $sql = "SELECT COUNT(*) FROM " . $this->db_table . " WHERE nonce = :nonce LIMIT 1";
    $q = $this->dbh->prepare($sql);
    $q->execute(array(":nonce" => $nonce));
    return $q->fetchColumn();
  }

  /**
   * This may be called to validate a form that was generated using generateFormFields()
   *
   * @param string $content optional the additional content that was provided when 
   * generateFormFields() was called
   *
   * @return boolean true if valid
   **/
  public function validateForm($content = '')
  {
    $plain = $this->fnDecrypt($_POST['key']);
    $plain = explode(' ', $plain, 2);

    $time = $plain[0];
    $uid = $plain[1];

    if($content && $content !== $plain[2]){

    }

    return $this->validateAndUseNonce($time, $uid, $content, $_REQUEST['nonce']);
  }
  /**
   * Generates 2 hidden fields to add nonce capability to a form. Forms using this method
   * can be validated using validateForm().
   *
   * @param integer $length optional The length of the nonce
   * @param string $content optional content that will be hashed into the nonce.
   * This might be useful if you want to include a user id. Remeber anything added here
   * must also be included as an argument when validateForm() is called.
   *
   * @return string
   **/

  public function generateFormFields($content = '', $length = NULL)
  {
    $time = time();
    $uid = $this->generateUid();
    $key = $time . " " . $uid;

    // We'll need this info later so we don't want to simply hash it. We could just send it in plain
    // text but this is a little more secure and makes things very difficult to break.
    $key = $this->fnEncrypt($key);
    $nonce = $this->getNonce($time, $uid, $content, $length);

        //The ajax variable decides if ajax wants the keys or page being loaded first time.
$ajax = isset($_POST['ajax']) ? $_POST['ajax'] : "false";

        if($ajax=="false"){
              echo "\r\n<input type='hidden' id='nonce' name='nonce' value='$nonce'>\r\n";
              echo "<input type='hidden' id='key' name='key' value='$key'>\r\n";


        } else {
            echo json_encode(array("key" => $key, "nonce" => $nonce));

              //This would work when ajax called.
        }


  }


  /**
   * Checks to see if a form was posted that contains fields generated by generateFormFields().
   *
   * @return boolean true if form was posted
   **/
  public function isFormPosted()
  {
    if(isset($_REQUEST['key']) && isset($_REQUEST['nonce'])) return true;
  }

  /**
   * Creates a cryptographically secure random string. Tries first using urandom (for *nix systems),
   * then tries openssl_random_pseudo_bytes and as a last resort mt_rand.
   *
   * @return string a random string
   **/
  public function generateUid($length = 32)
  {
    // Best option, but only on *nix systems. Also some web servers don't have access to this.
    if(is_readable('/dev/urandom')){
      $f = fopen('/dev/urandom', 'r');
      $seed = fgets($f, $length); // note that this will always return full bytes
      fclose($f);
      return base64_encode($seed);
    }

    // Next best thing but requires openssl
    if(extension_loaded('openssl')){
      $seed = bin2hex(openssl_random_pseudo_bytes($length));
      return base64_encode($seed);
    }

    // Last resort, mt_rand
    for ($i = 0; $i < $length; $i++) {
        $seed = chr(mt_rand(0, 255));
    }

    return base64_encode($seed);
  }

  private function fnEncrypt($sValue)
  {
    return trim(
      base64_encode(
        mcrypt_encrypt(
          MCRYPT_RIJNDAEL_256,
          hash($this->hash, $this->secret, true), $sValue, 
          MCRYPT_MODE_ECB, 
          mcrypt_create_iv(
            mcrypt_get_iv_size(
              MCRYPT_RIJNDAEL_256, 
              MCRYPT_MODE_ECB
            ), 
            MCRYPT_RAND
          )
        )
      )
    );
  }

  private function fnDecrypt($sValue)
  {
    return trim(
      mcrypt_decrypt(
        MCRYPT_RIJNDAEL_256, 
        hash($this->hash, $this->secret, true), 
        base64_decode($sValue), 
        MCRYPT_MODE_ECB,
        mcrypt_create_iv(
          mcrypt_get_iv_size(
            MCRYPT_RIJNDAEL_256,
            MCRYPT_MODE_ECB
          ), 
        MCRYPT_RAND
        )
      )
    );
  }

  /**
   * Deletes any nonce's from the DB that are older than $expire. Nonce's older than $expire
   * can be safely deleted since they cannot be used anymore.
   *
   * @return boolean true on success
   **/
  public function cleanUpDb()
  {
    $sql = "DELETE FROM " . $this->db_table . " WHERE timestamp < DATE_ADD(now(), INTERVAL -:expire second)";
    $q = $this->dbh->prepare($sql);
    return $q->execute(array(":expire" => $this->expire));
  }
};
$n = new Nonce;

my proccsed.php

<?php

include "../includes/session.php";
require_once '../xsspro/library/HTMLPurifier.auto.php';
require "../includes/nonce.php";// nonce tokens for forms not sessions.

$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);

header('Cache-Control: no-cache, must-revalidate');
header('content-type: application/json; charset=utf-8');

$msg = '';

 if($n->isFormPosted()){
  try{
    // Wil return true if valid.
    $msg = $n->validateForm();
  }catch (Exception $e){
    $msg = $e->getMessage(); 
  }
}


if($msg === true) : 

        foreach($_POST as $key => $value) {
            if (!is_array($key)) {
                // sanitize the input data
                if ($key != 'ct_message') $value = strip_tags($value);
                $_POST[$key] = $purifier->purify($value);
            }
        }


function cleanPost($val) {
  if(!isset($_POST[$val])) {
    $_POST[$val] = NULL;
    return;
  }
  $_POST[$val] = trim(htmlentities($_POST[$val], ENT_QUOTES, 'UTF-8'));
}


if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
  cleanPost('email');
  cleanPost('p');
  $message[]='לא ניתן להתחבר עם פרוקסי.';
}

if ($_SERVER["REQUEST_METHOD"] <> "POST") 
 die("You can only reach this page by posting from the html form");

$message=array();



if(isset($_POST['email']) && !empty($_POST['email']))
    {

        if(filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
            {
            $email = $purifier->purify(@$_POST['email']);
            }
            else
            {
            $message[]='האימייל שהזנת שגוי או לא תקין נסה שוב';
            }
    }
    else
    {
        $message[]='אנא הכנס אימיל';
    }

if(isset($_POST['p']) && !empty($_POST['p']))
                {
                   $password = $purifier->purify(@$_POST['p']); 
                }
                else if($_POST['p'] == '')
                {
                  $message[]='אנא הכנס סיסמא';

                }

if(get_magic_quotes_gpc()){
   $password = stripslashes($password);
   $email = stripslashes($email);
}   


$countError=count($message);

   if($countError > 0)
     {

                 $errmsg = '';
      foreach($message as $key => $error) {

              if($key > 0)
              $errmsg .= " ,";
              $errmsg .= "{$error}";
             }
              $return = array('error' => 1, 'message' => $errmsg);
             echo json_encode($return);

    }
    else
    {

    if($session->admin_login($email, $password, $func->mysqli) == true) 
      {
              $return = array('login' => true);
              echo json_encode($return);

      } 
      else 
      {
           //return the errors from the function

      }
    }
elseif($msg):

              $return = array('message' => $msg);
              echo json_encode($return);
endif;
?>

nonce.php , proccsed.php , login.php

that all the files.

iv added the all codes i am stuck so hard cant figure to fix it, thanks allot and sry very very thanks for help!

Please don't post the EXACT same question twice, http://stackoverflow.com/questions/18040177/refresh-input-after-ajax-submit-form — AmazingDreams, Aug 05 '13 at 07:51
@AmazingDreams He actually edited the previous question to a newer question. So I edited that question back to its previous form, so you may answer his new question now. — Optimus Prime, Aug 05 '13 at 08:17

score 1 · Answer 1 · edited May 23 '17 at 11:50

1

this one create the keys :

 public function generateFormFields($content = '', $length = NULL)
  {
    $time = time();
    $uid = $this->generateUid();
    $key = $time . " " . $uid;

    // We'll need this info later so we don't want to simply hash it. We could just send it in plain
    // text but this is a little more secure and makes things very difficult to break.
    $key = $this->fnEncrypt($key);

    echo "\r\n<input type='hidden' id='nonce' name='nonce' value='" . $this->getNonce($time, $uid, $content, $length) . "'>\r\n";
    echo "<input type='hidden' id='key' name='key' value='$key'>\r\n";
  }

You are not passing the keys in array? Pass them as array. Add this instead of echo........ in your code,

$nonce = $this->getNonce($time, $uid, $content, $length);

echo json_encode(array("key" => $key, "nonce" => $nonce));

Now in ajax where you get new keys,

$.ajax({  
 url: "file_to_get_new_keys.php",
  type: "POST",  
  data: dataString,
  success: function(data)
  {  
       $("#nonce").val(data.nonce);
       $("#key").val(data.key);
  }
});

Latest Edit,

Pass dataString now.

 $.ajax({  
     url: "file_to_get_new_keys.php",
      type: "POST",  
      data: {ajax:"true"},
      success: function(data)
      {  
           $("#nonce").val(data.nonce);
           $("#key").val(data.key);
      }
    });

Now in your php, have a new variable $ajax, in the function which returns the variables.

$ajax = isset($_POST['ajax']) ? $_POST['ajax'] : "false";

//The ajax variable decides if ajax wants the keys or page being loaded first time.

if($ajax=="false"){
      echo "\r\n<input type='hidden' id='nonce' name='nonce' value='$nonce'>\r\n";
      echo "<input type='hidden' id='key' name='key' value='$key'>\r\n";

     // OR
       return json_encode(array("key" => $key, "nonce" => $nonce));

     //whatever you need above, when ajax not called.


} else {
    echo json_encode(array("key" => $key, "nonce" => $nonce));

      //This would work when ajax called.
}

Yes, the problem may be that another site may call your php file using ajax and get the keys, and then use them. here is a question, that may help you.

Web services API Keys and Ajax - Securing the Key

edited May 23 '17 at 11:50

Community

1
1

answered Aug 05 '13 at 12:03

Optimus Prime

6,817
5
32
60

iv edited my question and good some idea by your post look again thanks u allot i am close to fix it.. – user2635001 Aug 06 '13 at 04:51
So you must also check in the key somehow, or in the php that the ajax call made is by your domain or server. – Optimus Prime Aug 06 '13 at 05:39
And why are you using another variable $skey? Just use $key. Rest of php is fine. – Optimus Prime Aug 06 '13 at 05:40
the problem now is when i load the login.php the inputs key + nonce are empty cuz the ajax not load the keys from the php when the login page loaded , and anyway its not get the keys or anything from that function any idea , iv edited again i'v added more code from the nonce.php – user2635001 Aug 06 '13 at 06:03
So while loading the form too, you call this function, or if your form is created by php, create keys at the time of loading the page for the first time too. – Optimus Prime Aug 06 '13 at 06:10
but the generateFormFields($content = '', $length = NULL) is the one who created the keys and we just change it from echo inputs to json array so i can back it with ajax and not php that was the idea no? – user2635001 Aug 06 '13 at 06:16
look this when i view source : {"key":"U9scpsxIZbkwIx69gdRFFRfx\/UMufD7gK3UisQ99xEQ=","nonce":"9a26f25a7ec737406a638e3ce9f78525816e8bb35270d0ac8b66888447e68a51"} and its not working anyway every time i press submit the key not changing errrrrr i stuck very hard.......... – user2635001 Aug 06 '13 at 06:29
i just added this line to php echo json_encode(array("key" => $key, "nonce" => $nonce)); and i generate the inputs normali with php in the login form : generateFormFields(); ?> and just want to make the key changing without refreshing the page but nothing wrong.... – user2635001 Aug 06 '13 at 06:39
No generateFormFields() should give the key for the first time. Ajax will give the keys next time onwards, not the first time. – Optimus Prime Aug 06 '13 at 07:39
Your entire form along with the keys and nonce will be echoed in the form for the first time. The json array is only for ajax which will deliver the keys second time onwards. – Optimus Prime Aug 06 '13 at 07:40
i know that but cant make it work... i added inside the function json array with the keys hold and did the ajax script to take it but it wont work u have any exmaple ? – user2635001 Aug 06 '13 at 07:46
I gave you the example last time. I will edit code in that answer in a while. – Optimus Prime Aug 06 '13 at 07:49
yea but not working , i mean when i enter the first time to login.php the php function create the inputs , then when i press again submit the ajax should return the new value from the php function but it dont do it... – user2635001 Aug 06 '13 at 07:52
It will generate the new keys, you may use `console.log` or alert to see the new keys. You can't see the new keys in view-source of browser. – Optimus Prime Aug 06 '13 at 07:56
i did alert the json return nothing , he not returning any keys after submit only when i enter the page first time like the php... alert(response.nonce); alert(response.key); its not doind the alert even.. somthing went wrong with the succses i think – user2635001 Aug 06 '13 at 07:59
i checked everything i dont have any error look i will edit my post i will show u what iv done so far. – user2635001 Aug 06 '13 at 08:01
The biggest problem seems to me that the keys that you returned haven't been saved to the database, the function nonceexists would return false. – Optimus Prime Aug 06 '13 at 08:04
You are saving them in the function where you used ajax? which returns the json array? – Optimus Prime Aug 06 '13 at 08:14
why are you also echoing the "input" elements only the array has to be echoed and this function only should save these new keys to db? – Optimus Prime Aug 06 '13 at 08:16
as u see in generate function i have echoed the inputs with the keys at first time entered the page , then after next submit it should call the same funtion and return with json the keys arays with the new one and put them instead of the old values . – user2635001 Aug 06 '13 at 08:18
anyway as i see the ajax function not working at all , its not return the values to the ajax response – user2635001 Aug 06 '13 at 08:34
Don't use the same function for first time and second time. I am telling you that you don't need to echo the '...' things. Just echo the json array. Thats all what ajax should return. Or if there are problems, make a new php file for ajax, that only returns the keys, doesn't echo 'input' and all. – Optimus Prime Aug 06 '13 at 08:47
i removed the echo inputes , and did echo to json array but the ajax script not take the json code on the succses – user2635001 Aug 06 '13 at 09:12
have you tried alerting, are the keys coming? try `alert(data.key+" "+data.nonce)` – Optimus Prime Aug 06 '13 at 09:20
ok i got it , it return the keys only if i run the php function like $n->regene...(); but when i do it , it echo the json array on the top of the login page – user2635001 Aug 06 '13 at 09:23
i mean i have to write this :generateKeyInputsFields(); ?> some where so the php function will work and then its return the json aray but its also echo it on the top of the page any ideas – user2635001 Aug 06 '13 at 09:30
I have told you what to do. You don't understand what I am telling you. Will show you some other example later today. – Optimus Prime Aug 06 '13 at 09:32
i cant get that php function cuz its use other php functions in the same class sry my bad i am ajax newbie... – user2635001 Aug 06 '13 at 09:33
Make a separate php file for ajax. That only returns the json array. Keep your other php file as earlier. That was delivering the form with keys before. – Optimus Prime Aug 06 '13 at 09:37
and how the seprate file will know the new keys ? my regene..(); already done it with php every time u refresh the page or enter the page and when u press submit it change but in the value input it not changing cuz ajax not refreshing the page – user2635001 Aug 06 '13 at 09:40
check the answer's latest edit, i edited again now you should be able to do. – Optimus Prime Aug 06 '13 at 11:03
ok , i tested not working yet , iv did this : in my login form i kept the same genet..();?> which call the genereate php function. in my generate php function i added ur line am i right? iv edited and added the new php function – user2635001 Aug 07 '13 at 13:24
i doing somthing wrong.. in my form i call php function but i also have ajax script that pass string , but how that string pass inside php function inside class? – user2635001 Aug 07 '13 at 13:37
if (ajax=false )you dont have to echo and return both, it depends, what your function is doing. Either return or use echo depending on your need. Or just echo, don't return. I had added "OR" above return. – Optimus Prime Aug 07 '13 at 15:11
should i keep call the function from the form ? – user2635001 Aug 08 '13 at 04:05
and also the post send true , but on the php side inside the function the isset post not get the parameter and the its not return the json back to login .php i did alert its not working – user2635001 Aug 08 '13 at 04:45
ok i understand i cant get the post pass inside the class u have any idea? – user2635001 Aug 08 '13 at 05:17
ok i can add you the all php class + proccses.php + login.php ? i am stuck cant figure it... – user2635001 Aug 08 '13 at 10:29

score 0 · Answer 2 · answered Aug 05 '13 at 09:08

0

You did not include your jQuery success function. It should look something like this though.

success: function(data) {
    // Get the key from the response
    var generatedkey = data['key'];

    // Set the appropiate field to the new key
    $("input[name=key]").val(generatedkey);
}

And the response of a 'valid' response should, look something like.

echo json_encode(array("key" => $newkey));

answered Aug 05 '13 at 09:08

AmazingDreams

3,136
2
22
32

hi , i didnt included my succses cuz i dont think some need it here , anyway i understand u all tell me to regenerate new key in the proccses php but how can i do it if my generate function + regenerate is inside the form ? look at my form html u see there generateFormFields() ?> this function create every submit new input with hashed keys inside value , so this code should work only on normal post but i using ajax and i dont now how to make it change without refreshing the page this the problem and sry for my bad english and thanks! edited i will add the suc code too – user2635001 Aug 05 '13 at 09:23
they both validated and generate same page , same class could csrf , its working perfect with normal form post , because every submit with normal post the page refreshing so the key value changing , ajax not refreshing the page so the key keep the same key as before like the user entered the page – user2635001 Aug 05 '13 at 10:08
Yeah, the AJAX should return the new keys you want... and they should be set using jquery. – AmazingDreams Aug 05 '13 at 10:09
i dont know how to put php class with ajax lol its sound hard to make php code work with ajax , the ajax need to create 2 inputs its hard – user2635001 Aug 05 '13 at 10:23
`echo json_encode(array("key1" => $newkey1, "key2" => $newkey2));` AJAX is 'just another way' of accessing a page and interpreting it. – AmazingDreams Aug 05 '13 at 10:27
iv edited my question after changes i made and cleanup uneeded codes . – user2635001 Aug 06 '13 at 05:49

ajax login csrf key input change after submit

2 Answers2

Linked