Ajax-About thinkphp Prevent local <form> Add a hash value at commit

To prevent forms from being submitted locally, thinkphp adds a 32-bit hash value to each form label by default, and any form submission verifies that the hash is consistent with the server-side session, but what if I use AJAX?! How to prevent the user from submitting malicious parameters locally.
In addition, thinkphp this way after verifying the hash and the session is consistent, immediately destroy the session and regenerate a new session and hash value, then this method is not for the Get method of the request to refresh again is invalid, For example, a site search function: Get to submit parameters: http://www.example.com/search.php?query= Best Watch Movie &hash= Jf75zg93s5su56si8d63hd8km01jf737ey, I refresh again, the hash value has not changed, but the server session has changed, is not stopped? I appreciate it.

Reply content:

To prevent forms from being submitted locally, thinkphp adds a 32-bit hash value to each form label by default, and any form submission verifies that the hash is consistent with the server-side session, but what if I use AJAX?! How to prevent the user from submitting malicious parameters locally.
In addition, thinkphp this way after verifying the hash and the session is consistent, immediately destroy the session and regenerate a new session and hash value, then this method is not for the Get method of the request to refresh again is invalid, For example, a site search function: Get to submit parameters: http://www.example.com/search.php?query= Best Watch Movie &hash= Jf75zg93s5su56si8d63hd8km01jf737ey, I refresh again, the hash value has not changed, but the server session has changed, is not stopped? I appreciate it.

Hash should be CSRF token, only need to be in the AJAX request before sending, that is, binding beforesend event processing, add tokens to the header.

Like what:

When using AJAX requests, set ' X-csrf-token ' on the HTTP header, which is the Token generated by the server, such as

jquery in Ajax and set ' X-csrf-token '

$.ajax({            type: "POST",            url: _node.attr('href'),            beforeSend: function(req) {              req.setRequestHeader('X-CSRF-Token', "#{csrf_token}")            },//后边的省略 });

