Recently I found out about CSRF attacks and was happy to find out that CSRF protection was added to Codeigniter v 2.0.0.
I enabled the feature and saw that a hidden input with a token is added in forms and I assume that it stores the token in a session too. On POST requests does CI automatically compare tokens or do I have have to manually do that?
The CSRF token is added to the form as a hidden input only when the form_open()
function is used.
A cookie with the CSRF token's value is created by the Security class, and regenerated if necessary for each request.
If $_POST
data exists, the cookie is automatically validated by the Input class. If the posted token does not match the cookie's value, CI will show an error and fail to process the $_POST
data.
So basically, it's all automatic - all you have to do is enable it in your $config['csrf_protection']
and use the form_open()
function for your form.
A good article I found that explains it very well: https://beheist.com/blog/csrf-protection-in-codeigniter-2-0-a-closer-look.html
When csrf protection enabled security class checks this token automatically (it compares POST token with COOKIE token)
Refer this Link -- Used CSRF Tokens using form helper or Manually
The article explains how to work around with CSRF Tokens in
- form open with form helper
form_open()
function
- in ajax forms
- ajax/jquery serialization forms
This article also explains about how to "Disable CSRF for cetain URL's(Which are used as webservice urls)"