• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Is it necessary to check CSRF token in controller

#1
Hi,

Is it necessary to check CSRF token in controller??
I have done csrf_protection = TRUE in config file .
Reply

#2
Straight from the source

Quote:CSRF protection

CSRF stands for Cross-Site Request Forgery, which is the process of an attacker tricking their victim into unknowingly submitting a request.

CodeIgniter provides CSRF protection out of the box, which will get automatically triggered for every non-GET HTTP request, but also needs you to create your submit forms in a certain way. This is explained in the Security Library documentation.
Reply

#3
(04-05-2017, 03:30 AM)Anil Wrote: Is it necessary to check CSRF token in controller??
No, this happens automatically whenever post data is encountered.

(04-05-2017, 03:30 AM)Anil Wrote: I have done csrf_protection = TRUE in config file .
The only other thing you have to do is use form_open to open your forms. CI will then add a hidden input field with the current CSRF token name and value.
You can read about form_open in the form_helper docs.
https://www.codeigniter.com/user_guide/h...#form_open

Example:
PHP Code:
<?php echo form_open('blog/add_post'); ?>
...
your input fields
...
<?php echo form_close(); ?>

The form_close just puts in </form> but I use it still as it stops my editor from going crazy thinking I am closing an unopened tag.

For more details, as pointed out by Martin7483, the docs are quite thorough.

Paul.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2017 MyBB Group.