CSRF tokens in multiple components on first cached request
See original GitHub issueUsing CSRF tokens in multiple components on the first cached request can result in CSRF requests failing. This is because the Sprig components are loaded asynchronously, without a session cookie existing for the user, as reported in https://github.com/putyourlightson/craft-sprig/issues/201 and related to https://github.com/putyourlightson/craft-blitz/issues/329.
The current suggested workaround is to use a dummy init
component that on page load will force a session cookie to be generated and will then refresh all other components on the page.
{# _components/init #}
{% if sprig.isRequest %}
{{ csrfInput() }}
<script>
for (const component of htmx.findAll('.sprig-component')) {
htmx.trigger(component, 'refresh');
}
</script>
{% endif %}
{# Main page #}
{{ sprig('_components/init', {}, { 's-trigger': 'load' }) }}
{{ sprig('_components/form') }}
{{ sprig('_components/form') }}
{{ sprig('_components/form') }}
{{ sprig.script }}
This is a feature request for Sprig to add a convenience method for handling this use-case.
Issue Analytics
- State:
- Created 10 months ago
- Comments:15
Top Results From Across the Web
Avoiding CSRF tokens - caching - Stack Overflow
On an ecommerce, the product page is cached by Varnish, so if the user lands directly here, he won't have a session ID...
Read more >A Deep Dive into CSRF Protection in Rails | by Alex Taylor
There are two components to CSRF. First, a unique token is embedded in your site's HTML. That same token is also stored in...
Read more >The Curious Case of Caching CSRF Tokens
On the first request, the user is anonymous and their request indistinguishable from any other - their page can be served from the...
Read more >Multiple {{ craft.blitz.csrfInput }} should not make ... - GitHub
I have a page with multiple {{ craft.blitz.csrfInput }} on it, for different forms. I noticed that triggers as many XHR requests as...
Read more >CSRF tokens | Web Security Academy - PortSwigger
A CSRF token is a unique, secret, unpredictable value that is generated by the server-side application and transmitted to the client in such...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Features are only added to new versions of the plugin, so you’ll have to update to get it.
Released in version 2.4.0.