[eluser]jmb727[/eluser]
I'm hoping to take advantage of the CSRF protection offered by the Security class in CI.
The site im working on will have a backend and a frontend both of these are individual CI applications sharing one system which will be outside the public_html directory.
Anyway im getting off track here, I want to use the built in CSRF protection in both the backend and the frontend, so i've set the application config files like so:
backend application config
Code:
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf_admin_token';
$config['csrf_cookie_name'] = 'csrf_admin_cookie';
$config['csrf_expire'] = 7200;
frontend application config
Code:
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf_token';
$config['csrf_cookie_name'] = 'csrf_cookie';
$config['csrf_expire'] = 7200;
Only the CSRF_token_name and CSRF_cookie_name values don't appear to have any value or weight in the script whatsoever. When i opened a form using form_open in both the frontend and the backend, it generated, with the name set to
ci_csrf_token.
Code:
<input type="hidden" name="ci_csrf_token" value="b11d0ec075ecacba3e358471fbb0111a" />
I opened the security class to find that the name 'ci_csrf_token' is the default value for the token name and is assigned in the variable declaration at the beginning of the class:
Code:
class CI_Security {
protected $_xss_hash = '';
protected $_csrf_hash = '';
protected $_csrf_expire = 7200; // Two hours (in seconds)
[b]protected $_csrf_token_name = 'ci_csrf_token';
protected $_csrf_cookie_name = 'ci_csrf_token';[/b]
I thought that the config item values might have replaced the default value in the class constructor but it doesn't.
Does this mean I have to modify the security class to set the config item values to the class variables myself or am i missing something.
