Welcome Guest, Not a member yet? Register   Sign In
Is it necessary to check CSRF token in controller
#1

Hi,

Is it necessary to check CSRF token in controller??
I have done csrf_protection = TRUE in config file .
Reply
#2

Straight from the source

Quote:CSRF protection

CSRF stands for Cross-Site Request Forgery, which is the process of an attacker tricking their victim into unknowingly submitting a request.

CodeIgniter provides CSRF protection out of the box, which will get automatically triggered for every non-GET HTTP request, but also needs you to create your submit forms in a certain way. This is explained in the Security Library documentation.
Reply
#3

(04-05-2017, 02:30 AM)Anil Wrote: Is it necessary to check CSRF token in controller??
No, this happens automatically whenever post data is encountered.

(04-05-2017, 02:30 AM)Anil Wrote: I have done csrf_protection = TRUE in config file .
The only other thing you have to do is use form_open to open your forms. CI will then add a hidden input field with the current CSRF token name and value.
You can read about form_open in the form_helper docs.
https://www.codeigniter.com/user_guide/h...#form_open

Example:
PHP Code:
<?php echo form_open('blog/add_post'); ?>
...
your input fields
...
<?php echo form_close(); ?>

The form_close just puts in </form> but I use it still as it stops my editor from going crazy thinking I am closing an unopened tag.

For more details, as pointed out by Martin7483, the docs are quite thorough.

Paul.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB