CSRF and Browser Cookie Settings

1) When you use the form_open function or generate a new token using $this->tokens->token(), the token is automatically added to the tokens cookie. See the "Tokens Cookie Config" section on this page:

https://community-auth.com/documentation...cation-php

By default the name of your POSTed token should be "token", but you can change it to any whatever you want if you find the value in config/authentication.php:

PHP Code:

$config['token_name'] = 'token'; 


When you POST via a form or ajax, the token needs to be posted right along with the rest of the post data. The tokens library checks to see if the posted token matches one in the cookie. This  is a lot like the way CodeIgniter's CSRF does it, except CodeIgniter only has a single token value. There are other differences between CodeIgniter's CSRF and my tokens library, but for basic usage you will find that they are more or less working the same way.

Skunkbad,

The new tokens are working OK except for the Community Auth login. I notice the form has a token called "login_token". I could not figure out where to change this so I modified my login form to include the additional hidden field with my token name and the generated value. I see both hidden token fields but I still cannot login. I do not receive any error messages either and there are no errors in the log. Where can I change the Community Auth login form token name to use the CI token name in config?