+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forumdisplay.php?fid=30)
+--- Thread: CSRF only in one page (/showthread.php?tid=80061)
CSRF only in one page - nneves - 09-08-2021
Hi
What's the best approach to use CSRF only in one page without using the Filter?
I need to remove all cookies for cache propose.
Thanks
RE: CSRF only in one page - manager - 09-08-2021
(09-08-2021, 07:56 PM)nneves Wrote: Hi
What's the best approach to use CSRF only in one page without using the Filter?
I need to remove all cookies for cache propose.
Thanks
You can add csrf fields in the view of that page and then in the controller check it manually.
But filters is convenient. If you want csrf just in one page you can use filters array inside app/config/filters.php config file.
PHP Code:
'csrf' => ['before' => ['myspecialpage/index']]
So this will apply only in one page.
RE: CSRF only in one page - nneves - 09-09-2021
(09-08-2021, 09:46 PM)manager Wrote:(09-08-2021, 07:56 PM)nneves Wrote: Hi
What's the best approach to use CSRF only in one page without using the Filter?
I need to remove all cookies for cache propose.
Thanks
You can add csrf fields in the view of that page and then in the controller check it manually.
But filters is convenient. If you want csrf just in one page you can use filters array inside app/config/filters.php config file.
PHP Code:'csrf' => ['before' => ['myspecialpage/index']]
So this will apply only in one page.
Hi
Doing this way I have the csrf_cookie in all pages and that's somenthing I need to avoid.
I can get the field value from $this->request->getGetPost(csrf_token()) but how do I get the hash?
I have security.regenerate = false but when I receive the post data, csrf_hash() has a new value!
Thanks
RE: CSRF only in one page - manager - 09-09-2021
Try this code:
PHP Code:
$security = \Config\Services::security();
$result = $security->verify($this->request);
If $result is false, csrf not passed.