Codeigniter CSRF - how does it work

2019-01-08 20:34发布

问题:

Recently I found out about CSRF attacks and was happy to find out that CSRF protection was added to Codeigniter v 2.0.0.

I enabled the feature and saw that a hidden input with a token is added in forms and I assume that it stores the token in a session too. On POST requests does CI automatically compare tokens or do I have have to manually do that?

回答1:

The CSRF token is added to the form as a hidden input only when the form_open() function is used.

A cookie with the CSRF token's value is created by the Security class, and regenerated if necessary for each request.

If $_POST data exists, the cookie is automatically validated by the Input class. If the posted token does not match the cookie's value, CI will show an error and fail to process the $_POST data.

So basically, it's all automatic - all you have to do is enable it in your $config['csrf_protection'] and use the form_open() function for your form.

A good article I found that explains it very well: https://beheist.com/blog/csrf-protection-in-codeigniter-2-0-a-closer-look.html



回答2:

When csrf protection enabled security class checks this token automatically (it compares POST token with COOKIE token)



回答3:

Refer this Link -- Used CSRF Tokens using form helper or Manually

The article explains how to work around with CSRF Tokens in

  • form open with form helper form_open() function
  • in ajax forms
  • ajax/jquery serialization forms

This article also explains about how to "Disable CSRF for cetain URL's(Which are used as webservice urls)"