Codeigniter CSRF - how does it work

2019-01-08 20:43发布

Recently I found out about CSRF attacks and was happy to find out that CSRF protection was added to Codeigniter v 2.0.0.

I enabled the feature and saw that a hidden input with a token is added in forms and I assume that it stores the token in a session too. On POST requests does CI automatically compare tokens or do I have have to manually do that?

3条回答
别忘想泡老子
2楼-- · 2019-01-08 21:18

Refer this Link -- Used CSRF Tokens using form helper or Manually

The article explains how to work around with CSRF Tokens in

  • form open with form helper form_open() function
  • in ajax forms
  • ajax/jquery serialization forms

This article also explains about how to "Disable CSRF for cetain URL's(Which are used as webservice urls)"

查看更多
Rolldiameter
3楼-- · 2019-01-08 21:19

When csrf protection enabled security class checks this token automatically (it compares POST token with COOKIE token)

查看更多
相关推荐>>
4楼-- · 2019-01-08 21:25

The CSRF token is added to the form as a hidden input only when the form_open() function is used.

A cookie with the CSRF token's value is created by the Security class, and regenerated if necessary for each request.

If $_POST data exists, the cookie is automatically validated by the Input class. If the posted token does not match the cookie's value, CI will show an error and fail to process the $_POST data.

So basically, it's all automatic - all you have to do is enable it in your $config['csrf_protection'] and use the form_open() function for your form.

A good article I found that explains it very well: https://beheist.com/blog/csrf-protection-in-codeigniter-2-0-a-closer-look.html

查看更多
登录 后发表回答