+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Choosing CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=8)
+--- Thread: Is it necessary to check CSRF token in controller (/showthread.php?tid=67754)
Is it necessary to check CSRF token in controller - Anil - 04-05-2017
Hi,
Is it necessary to check CSRF token in controller??
I have done csrf_protection = TRUE in config file .
RE: Is it necessary to check CSRF token in controller - Martin7483 - 04-05-2017
Straight from the source
Quote:CSRF protection
CSRF stands for Cross-Site Request Forgery, which is the process of an attacker tricking their victim into unknowingly submitting a request.
CodeIgniter provides CSRF protection out of the box, which will get automatically triggered for every non-GET HTTP request, but also needs you to create your submit forms in a certain way. This is explained in the Security Library documentation.
RE: Is it necessary to check CSRF token in controller - PaulD - 04-05-2017
(04-05-2017, 02:30 AM)Anil Wrote: Is it necessary to check CSRF token in controller??No, this happens automatically whenever post data is encountered.
(04-05-2017, 02:30 AM)Anil Wrote: I have done csrf_protection = TRUE in config file .The only other thing you have to do is use form_open to open your forms. CI will then add a hidden input field with the current CSRF token name and value.
You can read about form_open in the form_helper docs.
https://www.codeigniter.com/user_guide/helpers/form_helper.html#form_open
Example:
PHP Code:
<?php echo form_open('blog/add_post'); ?>
...
your input fields
...
<?php echo form_close(); ?>The form_close just puts in </form> but I use it still as it stops my editor from going crazy thinking I am closing an unopened tag.
For more details, as pointed out by Martin7483, the docs are quite thorough.
Paul.