Codeigniter CSRF valid for only one time ajax request

In my opinion you should try to recreate your csrf token each request

Try this code example...

For the js funcion

var csrfName = '<?php echo $this->security->get_csrf_token_name(); ?>',    csrfHash = '<?php echo $this->security->get_csrf_hash(); ?>';("#avatar").change(function(){    var link = $("#avatar").val();    var dataJson = { [csrfName]: csrfHash, id: "hello", link: link };    $.ajax({        url : "<?php echo base_url('main/test'); ?>",        type: 'post',        data: dataJson,                    success : function(data)        {               csrfName = data.csrfName;            csrfHash = data.csrfHash;            alert(data.message);        }      });});

and for the controller

public function test() {     $config['upload_path'] = './uploads/';     $config['allowed_types'] = 'gif|jpg|png';     $config['max_size'] = 500;     $config['max_width'] = 260;     $config['max_height'] = 260;     $reponse = array(                'csrfName' => $this->security->get_csrf_token_name(),                'csrfHash' => $this->security->get_csrf_hash()                )    $this->load->library('upload', $config);     if (!$this->upload->do_upload('link')) {         $reponse['message'] = "error";     }     else {         $data = array('upload_data' => $this->upload->data());         $image_name = $data['upload_data']['file_name'];         $reponse['message'] = $image_name;     }     echo json_encode($reponse);}

Let me know and good luck

Note: When someone ask you for posting more data to the question, don't post it as a comment or answer, it's better to edit the question itself and adding the stuff

You can set this in config.php

$config['csrf_regenerate'] = FALSE;

so the csrf protection is valid during all the session time it will solve your problem.If you set $config['csrf_regenerate'] = true; then CI generate new csrf token every request so your old csrf token not match with new generated csrf token

$config['csrf_regenerate'] = TRUE;

keep auto generate to true it will be more safer.In similar case when csrf is expired in first request. What i have implemented

$(document).ajaxComplete(function (event, xhr, settings) { let response = xhr.responseText, let obj = JSON.parse(response), let csrfData = obj.csrf; document.querySelector('input[name="' + csrfData.name + '"]').value = csrfData.hash; }); //Also here you can update any other non input element    

In every ajax response we are passing csrf data in which latest csrf data will be replaced with current one

Sample response from request

{ csrf : {  name : 'csrf_name',  hash : 'qw76sd7s6f78sdfs8dfs9df8cx9' }}

I update csrf token in every ajax request. Also don't choose this method if you are working with multi tab environment