Set the CSRF cookie only when needed (e.g. when a form has been created) - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5) +--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24) +--- Thread: Set the CSRF cookie only when needed (e.g. when a form has been created) (/showthread.php?tid=71324) |
Set the CSRF cookie only when needed (e.g. when a form has been created) - Kel - 07-31-2018 Hello everyone, I would like to set as few cookies as possible. Preferably none at all. But I also want to enable CSRF protection. My idea: I don't want to set the CSRF cookie until a form (with the hidden CSRF token) is created. This allows me to hide all forms behind a "cookies are allowed" check. What I want to do: a user comes to the website and must agree to cookies in the (famous...) cookie notice. This sets a "cookies-are-authorized-cookie". Now he can go to the login form where the CSRF cookie is only set if the "cookies-are-authorized-cookie" has been found... Otherwise he will be redirected to an information page WITHOUT the CSRF cookie (or any other cookie) being set. Can you please help me to install such a check? I think this might be interesting for other users. Many thanks and many greetings RE: Set the CSRF cookie only when needed (e.g. when a form has been created) - php_rocs - 08-01-2018 @Kel, Did you take a look at the CI documentation ( https://codeigniter.com/user_guide/libraries/security.html#cross-site-request-forgery-csrf )? |