For a bit of background please see https://en.wikipedia.org/wiki/Cross-site_request_forgery
In order to make require_sesskey()
work, you need to make sure that the sesskey token is available for the javascript on the page, and that it is submitted back to server as a part of the AJAX request. For the javascript, the sesskey value is available in M.cfg.sesskey
.
Please check https://docs.moodle.org/dev/AJAX_pre_2.9 and https://docs.moodle.org/dev/AJAX too.
Hope this helps.