Secure Forms Check and AJAX Forms
Development and Programming
Here’s the scenario: I have a module which has a form and a corresponding action. I use form_declaration to make sure I get an XID in the form, and in the action, I do a secure_forms_check(). Which is great, until the user makes it an AJAX form and tries to submit more than once. The first AJAX submit will work. At the end of that first submission, the XID gets deleted from the database, so subsequent AJAX submits will not have a valid XID accompanying them, and will fail.
As I see it, there’s two ways to deal with this problem.
- Don’t delete the XID hash at the end of the secure forms check when an ajax request is detected.
- In response to an ajax requested action, generate a new XID hash and pass it back to the user as part of a JSON object, which the front-end developer can update in the form.
Are there any other options I’m missing? What should be the preferred option?
Rob,
We’re doing #2 on the CP login reminder function. in controllers/cp/login.php, theres: refresh_xid() where we pass the new XID back, and update XID hidden inputs on the page.
hope that helps,
-greg
refresh_xid, brilliant. Thanks for the advice!