I want to turn ON csrf protection only in a few of my controllers, so I have
function __construct() {
$this->load->helper(array('form', 'url'));
$this->load->model('user_model', '', true);
$this->config->set_item('csrf_protection', TRUE);
But it doesn't seem to work, although when I do var_dump($this->config) on a page it shows that csrf_protection is TRUE, but the cookies are not set and the form has a hidden field without value
<input type="hidden" name="ci_csrf_token" value="" />
Csrf token name and cookie name are all set, the forms are called with form_open().
Any help would be much appreciated.
Update: So this is not possible from version 2.1.1 because of the line in security class construct if (config_item('csrf_protection') === TRUE) {
Security class is initialized before the controller, so its natural that the config item change in the controller will not affect it.