CakePHP 403 on AJAX request

Question

I'm trying to use AJAX to autocomplete a search box on my website. I was using firebug to test my application. When I try to search something, Firebug tells me that the AJAX request returned a 403 forbidden error. However, when I copy the EXACT URL that was in the AJAX request, it returns the correct data.

Edit: I think this has to be something on the JavaScript side. Are there any headers that might be omitted with an AJAX request compared to a normal request?

Here is the $_SERVER variable (I removed the parameters that were the same on both requests) on an AJAX request that failed (1) vs typing the URL in and it works (2):

(1)

2011-04-02 13:43:07 Debug: Array
(
    [HTTP_ACCEPT] => */*
    [HTTP_COOKIE] => CAKEPHP=0f9d8dc4cd49e5ca0f1a25dbd6635bac;
    [HTTP_X_REQUESTED_WITH] => XMLHttpRequest
    [REDIRECT_REDIRECT_UNIQUE_ID] => TZdgK654EmIAAEjknsMAAAFG
    [REDIRECT_UNIQUE_ID] => TZdgK654EmIAAEjknsMAAAFG
    [REMOTE_PORT] => 60252

    [UNIQUE_ID] => TZdgK654EmIAAEjknsMAAAFG
    [REQUEST_TIME] => 1301766187
)

(2)

2011-04-02 13:44:02 Debug: Array
(
    [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    [HTTP_COOKIE] => CAKEPHP=d8b392a5c3ee8dd948cee656240fd5ea;
    [REDIRECT_REDIRECT_UNIQUE_ID] => TZdgYq54EmIAAF7zt6wAAAJJ
    [REDIRECT_UNIQUE_ID] => TZdgYq54EmIAAF7zt6wAAAJJ
    [REMOTE_PORT] => 60281

    [UNIQUE_ID] => TZdgYq54EmIAAF7zt6wAAAJJ
    [REQUEST_TIME] => 1301766242
)

What Components are you using? Try `$this->log($this->params, LOG_DEBUG)` at various points to see where it fails. Also, I think the last half of your question — deceze, Mar 31 '11 at 23:46
I've been trying to find the problem, sometimes it works and sometimes it doesn't. I really don't get it. I tried $this->log($this->Auth->user(), 'debug') and it returned nothing. I'm assuming that's the root of the problem but I don't quite know how to fix it. — Rob, Apr 01 '11 at 02:15
Rob, It should be `$this->log($this->Auth->user(), DEBUG);` not 'debug'. It's a constant. — Bjorn, Apr 01 '11 at 14:32
I think LOG_DEBUG = 'debug'. Not sure but 'debug' worked, it was logging things fine. Thanks though. — Rob, Apr 02 '11 at 17:23
Rob, check access rights on OS level. If on linux hosting, suggestions can be found in edit0. — benjamin, Apr 02 '11 at 17:56

Rob · Accepted Answer · 2011-04-02T18:41:59.720

I think I found the solution. I set the security level to medium to solve the issue. I found this line in the config folder. Does a medium security level pose any problems in production?

/**
 * The level of CakePHP security. The session timeout time defined
 * in 'Session.timeout' is multiplied according to the settings here.
 * Valid values:
 *
 * 'high'   Session timeout in 'Session.timeout' x 10
 * 'medium' Session timeout in 'Session.timeout' x 100
 * 'low'    Session timeout in 'Session.timeout' x 300
 *
 * CakePHP session IDs are also regenerated between requests if
 * 'Security.level' is set to 'high'.
 */
    Configure::write('Security.level', 'medium');

Edit: This is definitely the solution. Here's what was happening:

When the security level is set to high, a new session ID is generated upon every request.

That means that when I was making ajax requests, a new session ID would be generated.

If you stay on the same page, JavaScript makes a request, which generates a new session_id, and doesn't record the new session_id.

All subsequent ajax requests use an old session_id, which is declared invalid, and returns an empty session.

Dunhamzzz · Answer 2 · 2011-04-01T14:30:49.117

3

If you are using Auth, you need to make sure that you are logged in if the controller/action is not on your $this->Auth->allow() list.

Make sure you set debug to 0 as well, might cause you some problems.

edited Apr 01 '11 at 14:30

answered Apr 01 '11 at 14:10

Dunhamzzz

14,682
4
50
74

I am logged in at the time, and all pages that require log in are working properly. It just seems that sometimes, for some reason, the user is logged out for ajax requests. It works sometimes, and fails to work other times. – Rob Apr 02 '11 at 17:24
How does debug = 0 affect AJAX requests? – Rob Apr 02 '11 at 18:03
Because if you have a dump of your SQL or a warning on the page it will break your JSON object. – Dunhamzzz Apr 02 '11 at 19:34

score -1 · Answer 3 · edited Jul 06 '16 at 13:20

-1

Maybe it's the Cross site request forgery component. It's responsible for all authentication requests, except GET requests. Look at this: http://book.cakephp.org/3.0/en/controllers/components/csrf.html

edited Jul 06 '16 at 13:20

Mansuro

4,558
4
36
76

answered Jul 06 '16 at 12:53

J.MORAES

1

CakePHP 403 on AJAX request

3 Answers3

Linked