+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: How to disable CSRF temporaly for callback controllers ? (/showthread.php?tid=39188)
How to disable CSRF temporaly for callback controllers ? - El Forum - 03-03-2011
[eluser]Ricardo Martins[/eluser]
I have a controller method witch will receive periodical post`s from a third webservice.
So, I need to disable CSRF only on this method. How do I do that?
I tried to make a hook, butI should need to put it into pre_system but I also cant disable it because CI_Controller is not initialized at this point.
For now, I just put
Code:
if(strpos($_SERVER["REQUEST_URI"],'carrinho/retorno_checkout') !== FALSE)
refurn;Thanks
How to disable CSRF temporaly for callback controllers ? - El Forum - 03-04-2011
[eluser]Ricardo Martins[/eluser]
Anyone please?
How to disable CSRF temporaly for callback controllers ? - El Forum - 03-09-2011
[eluser]CappY[/eluser]
I just done it by adding that to config.php:
Code:
if(stripos($_SERVER["REQUEST_URI"],'/controller') === FALSE)
{
$config['csrf_protection'] = TRUE;
}
else
{
$config['csrf_protection'] = FALSE;
}I don't know how much it's reliable, but it works for me.
And it's done with NO core hacking.
How to disable CSRF temporaly for callback controllers ? - El Forum - 03-09-2011
[eluser]Ricardo Martins[/eluser]
Hi Cappy,
That's good. It's sad to think that CI doesn't have a way to do with it nativelly.
But I'm sure your way is very better than mine.
Thanks for helping me. =]
How to disable CSRF temporaly for callback controllers ? - El Forum - 03-09-2011
[eluser]InsiteFX[/eluser]
Code:
$this->config->set_item('csrf_protection', FALSE);
$this->config->set_item('csrf_protection', TRUE);InsiteFX
How to disable CSRF temporaly for callback controllers ? - El Forum - 03-09-2011
[eluser]CappY[/eluser]
[quote author="InsiteFX" date="1299715566"]
Code:
$this->config->set_item('csrf_protection', FALSE);
$this->config->set_item('csrf_protection', TRUE);InsiteFX[/quote]
That won't work. Input class is initiallized before Controller loading.
How to disable CSRF temporaly for callback controllers ? - El Forum - 03-09-2011
[eluser]InsiteFX[/eluser]
You could try this also: I tested it and it does change the variable in the Input Class.
Code:
$this->input->_enable_csrf = FALSE;
$this->input->_enable_csrf = TRUE;If this will not work then the input Class would need to be extended!
InsiteFX
How to disable CSRF temporaly for callback controllers ? - El Forum - 03-17-2011
[eluser]oskarols[/eluser]
[quote author="InsiteFX" date="1299755786"]You could try this also: I tested it and it does change the variable in the Input Class.
Code:
$this->input->_enable_csrf = FALSE;
$this->input->_enable_csrf = TRUE;If this will not work then the input Class would need to be extended!
InsiteFX[/quote]
That won't work either, since the CSRF-check is executed in the constructor of the Input class.
I went with doing a pre-system hook to solve this:
Code:
function disable_if_callback()
{
if(stripos($_SERVER["REQUEST_URI"],'/mypage') !== FALSE)
{
$CFG =& load_class('Config', 'core');
$CFG->set_item('csrf_protection', FALSE);
}
}How to disable CSRF temporaly for callback controllers ? - El Forum - 03-21-2011
[eluser]Eric Cope[/eluser]
Is there a reason the csrf work wasn't done within the form_validation class?
How to disable CSRF temporaly for callback controllers ? - El Forum - 03-29-2011
[eluser]Ricardo Martins[/eluser]
Yes. Maybe because they wanted to make it more secure. If you forget to load the form_validation class your app wouldnt validate CSRF.
Thank you 'oskarols'. I've implemented the hook and it works perfectly and better.
I tried to make a hook, but didn't try with load_class() function.
Thanks a lot.