Okay, so I am storing their tokes in a session:
Session::get('token', 'randomtokenstringhere');
On each form, whether it's successful or not I generate a new token, and update their session token, now say for example user 1
is on a update profile page, and I serialize a form, with a token on page load echo the token variable) and they submit the form, which runs an ajax, and either completes or there's an error, my system generate a new token, but now on the edit profile page, they're still using the old token, so now their tokens will never match.
How can I fix this for extra security?
Here's an example of my ajax:
<!-- accept, reject, add and cancel friend requests -->
$('.add_friend').click(function(event) { // bind function to submit event of form
event.preventDefault();
$.ajax({
url: $(this).attr('href'),
success: function(responseText) {
if($(event.target).text() == 'Add as friend'){
$(event.target).attr("href", "<?php echo Config::get('URL'); ?>friends/cancel_request/" + $(event.target).attr('id') + "/<?php echo System::escape(Session::get('token')); ?>");
$(event.target).text('Cancel Request');
$(event.target).removeClass("add_friend btn btn-success").addClass("cancel_request btn btn-info");
}else{
$(event.target).attr("href", "<?php echo Config::get('URL'); ?>friends/addfriend/" + $(event.target).attr('id') + "/<?php echo System::escape(Session::get('token'));?>");
$(event.target).text('Add as friend');
$(event.target).removeClass("cancel_request btn btn-info").addClass("add_friend btn btn-success");
}
}
});
return false;
});
<!-- End Like a status -->
which ofcourse run the following link:
<a class="add_friend btn btn-success" id="<?php echo System::escape($likes->timeline_likes_id); ?>" href="<?php echo Config::get('URL'); ?>friends/addfriend/<?php echo System::escape($likes->user_id).'/'.System::escape(Session::get('token')); ?>"><?php echo System::translate("Add as friend"); ?></a>
Their token is: System::escape(Session::get('token')); ?>
which will only load on page refresh which defauts my reason for using ajax