Collapse
Submit a Service Request
Contact Information for Technical Support
My Service Notifications
Form token is stripped from widget AJAX calls
Answer ID 12720 |
Last Review Date 10/13/2023
Why isn't our custom widget AJAX-handler receiving the f_tok POST data anymore?
Environment:
- Migrating to Customer Portal (CP) 3.9
- Custom widget ajax-handling with form tokens
Issue:
We have a custom widget that consumes the
f_tok
form expiration token value passed to it by an ajax request to /ci/ajax/widget
. When we update the CP framework to version 3.9, the token is now missing from the parameters received by the handler in our widget controller.Cause:
In CP 3.9,
/ci/ajax/widget
unsets the value f_tok
after it is validated and before sending the POST data to the widget controller.Resolution:
If you want to validate this token directly in your widget's ajax handler, you could send it with any other name than
f_tok
.For troubleshooting, try
var_dump($params)
in your widget controller ajax handler function.Notes:
See
/dav/cp/core/framework/Controllers/Ajax.php
. In framework version 3.9, there is a comment "remove f_tok coming in POST so that downstream additional checks are avoided."