CSRF only on POST request, reason?

CSRF only on POST request, reason?

mwhitney
Posting Freak
Posts: 1,101
Threads: 4
Joined: Nov 2014
Reputation: 95

03-06-2015, 11:32 AM

(03-06-2015, 10:50 AM)silentium Wrote: The CSRF is stored in a cookie, however, CI only validate that cookie against POST requests. If the request is anything but POST, it just generate a new CSRF cookie.

CI_Class -> csrf_verify() line 208

PHP Code:
// If it's not a POST request we will set the CSRF cookie if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST') { return $this->csrf_set_cookie(); }

Oops, you're right. I was reading that too quickly and apparently missed the return part.

Bonfire

Practical CodeIgniter 3
CodeIgniter Testing Guide

Messages In This Thread

CSRF only on POST request, reason? - by silentium - 03-05-2015, 07:22 PM

RE: CSRF only on POST request, reason? - by Nichiren - 03-05-2015, 09:36 PM

RE: CSRF only on POST request, reason? - by Avenirer - 03-06-2015, 03:25 AM

RE: CSRF only on POST request, reason? - by james - 03-06-2015, 06:51 AM

RE: CSRF only on POST request, reason? - by mwhitney - 03-06-2015, 09:36 AM

RE: CSRF only on POST request, reason? - by silentium - 03-06-2015, 10:50 AM

RE: CSRF only on POST request, reason? - by mwhitney - 03-06-2015, 11:32 AM

RE: CSRF only on POST request, reason? - by CroNiX - 03-06-2015, 09:43 AM

RE: CSRF only on POST request, reason? - by Narf - 03-06-2015, 01:14 PM

RE: CSRF only on POST request, reason? - by silentium - 03-10-2015, 11:52 AM