Ajax-thinkphp prevents adding a HASH value to <form> during local submission

To prevent form local submission, thinkphp adds a 32-bit hash value to each form tag by default. Any form submission must verify that the hash is consistent with the SESSION on the server. However, what if I use Ajax ?! How to Prevent users from submitting malicious parameters locally. Another... to prevent form local submission, thinkphp adds a 32-bit hash value to each form tag by default. Any form submission must verify that the hash is consistent with the SESSION on the server. However, what if I use Ajax ?! How to Prevent users from submitting malicious parameters locally.
In addition, after verifying that the hash and SESSION are consistent, thinkphp immediately destroys the SESSION and generates a new SESSION and hash value, so this method is not for GET request refresh once again is invalid, such as a website site search function: In the GET method to submit parameters: http://www.example.com/search.php? Query = the best movie to watch & hash = jf75zg93s5su56si8d63hd8km01jf737ey. I refresh it again. The HASH value hasn't changed, but the server SESSION has changed. Will it be blocked? I am very grateful to you for your patience.

Reply content:

To prevent form local submission, thinkphp adds a 32-bit hash value to each form tag by default. Any form submission must verify that the hash is consistent with the SESSION on the server. However, what if I use Ajax ?! How to Prevent users from submitting malicious parameters locally.
In addition, after verifying that the hash and SESSION are consistent, thinkphp immediately destroys the SESSION and generates a new SESSION and hash value, so this method is not for GET request refresh once again is invalid, such as a website site search function: In the GET method to submit parameters: http://www.example.com/search.php? Query = the best movie to watch & hash = jf75zg93s5su56si8d63hd8km01jf737ey. I refresh it again. The HASH value hasn't changed, but the server SESSION has changed. Will it be blocked? I am very grateful to you for your patience.

Hash should be a CSRF Token. You only need to bind the beforeSend event before sending the ajax request and add the token to the header.

For example:

When using ajax requests, you must set 'x-CSRF-token' in the http header. The value is the Token generated by the server, for example

Send ajax in jquery and set 'x-CSRF-token'

$. Ajax ({type: "POST", url: _ node. attr ('href '), beforeSend: function (req) {req. setRequestHeader ('x-CSRF-token', "# {csrf_token}")}, // omitted later });