Login

silentium · 03-06-2015, 10:50 AM

(03-06-2015, 09:36 AM)mwhitney Wrote: You can do this by creating an application/core/MY_Security class which extends CI_Security. The simplest solution would be to override just the csrf_show_error() method, which would probably also be fairly easy to maintain in the long term (currently, in both CI 2 and 3, the method just calls show_error() with the message 'The action you have requested is not allowed.', though CI3 adds the 403 error code).

In theory, a quick read of the csrf_verify method indicates that it attempts to perform cookie-based CSRF verification for requests which are not POST requests.

You are so right, I completely forgot that can just extend the CI_Security class... thank you.

The CSRF is stored in a cookie, however, CI only validate that cookie against POST requests. If the request is anything but POST, it just generate a new CSRF cookie.

CI_Class -> csrf_verify() line 208

PHP Code:
// If it's not a POST request we will set the CSRF cookie
if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST')
{
   return $this->csrf_set_cookie();
} 