+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: Set the CSRF cookie only when needed (e.g. when a form has been created) (/showthread.php?tid=71324)
Set the CSRF cookie only when needed (e.g. when a form has been created) - Kel - 07-31-2018
Hello everyone,
I would like to set as few cookies as possible. Preferably none at all. But I also want to enable CSRF protection.
My idea: I don't want to set the CSRF cookie until a form (with the hidden CSRF token) is created. This allows me to hide all forms behind a "cookies are allowed" check.
What I want to do: a user comes to the website and must agree to cookies in the (famous...) cookie notice. This sets a "cookies-are-authorized-cookie". Now he can go to the login form where the CSRF cookie is only set if the "cookies-are-authorized-cookie" has been found... Otherwise he will be redirected to an information page WITHOUT the CSRF cookie (or any other cookie) being set.
Can you please help me to install such a check? I think this might be interesting for other users.
Many thanks and many greetings
RE: Set the CSRF cookie only when needed (e.g. when a form has been created) - php_rocs - 08-01-2018
@Kel,
Did you take a look at the CI documentation ( https://codeigniter.com/user_guide/libraries/security.html#cross-site-request-forgery-csrf )?