FR: Return new CSRF token in response of any controller that consumes CSRF #3858
Comments
timkelty
changed the title
|
On further examination, it seems this is only really needed for the login/logout controllers, as those generate a new CSRF. |
|
👏 |
brandonkelly
added a commit
that referenced
this issue
Feb 19, 2019
|
nice job, @timkelty - you can be a pretty handy guy :) |
|
Thank you @timkelty |
|
Very cool! Updated the Stack Overflow answer to mention this. ❤️ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, if you have an SPA or even just ajax requests to controllers that require a CSRF, you can pass it along, probably getting it from your template
Great – except now that CSRF has been used, so you need a new one, but if your page hasn't reloaded, you don't have one. Making a subsequent request just to get a CSRF is wasteful, and Craft doesn't really have a controller for that anyway (although you could use
users/get-remaining-session-time).What would be ideal is any controller that consumed a CSRF token, also created a new one and returned it in the json response.
Related: https://craftcms.stackexchange.com/questions/28735/csrf-in-headless-applications from @AugustMiller
The text was updated successfully, but these errors were encountered: