form submit with csrf not working

i've got a web dev local and live. On local i like to hit it  and see if it shakes. I ran zap against it and it did bring up one or two issues.

    I wanted to see if  a csrf was being properly sent to a controller.

      In my base controller i have :

Code:

     
public function __construct()
{

helper(['text', 'date','uri','html','form','security','number']);
                ..................

As far as i can see when my controller eg Sendmail controller :

Code:

class Sendmail extends BaseController
{

it seems i don't then have to keep declaring helpers in my controller classes


This is how i tested it :



        in view :
      <?=form_open('contact') ?>

        <?= csrf_field() ?>
    // here i manually put in csrf to be generated, but i've read if you use appropriate helper  and the appropriate form open eg: <?=form_open('contact') ?>

you don't even need to put in the        <?= csrf_field() ?>    I'm of course a control freak so i like to do things my way.
Now in the bit <?=form_open('contact') ?>    'contact' is in fact a named route; so i am using POST to a ROUTE which passes on to a controller
Class called  Sendmail

   
        in my controller

$someVAr= $this->request->getVar(csrf_token());
        echo some var


      So when i posted form on local , entered text  i entered into form text boxes was retrieved  and I DID SEE a csrf token being echo'd out. Is that what you want to do , check token is produced and recevied ?

Well all i want is to just have my login information sent with the csrf. And since am not using ajax and the page will refresh after submit, display an error or not, the token will be regenerate automatically. Unfortunately am not seeing any feedback unless the form action route is excluded from csrf protection which i don't want to. By the why are you using getVar if its a POST request...what if i used post and returned the error message with the token?