CSRF only on POST request, reason?

CSRF only on POST request, reason?

Narf
Me
Posts: 1,589
Threads: 1
Joined: Oct 2014
Reputation: 121

03-06-2015, 01:14 PM

In all honesty, CI is just not built for creating RESTful APIs ...

CSRF tokens are verified only on POST requests, because that's what almost all web forms submit, $_POST is easy to access and within a browser, you typically need to issue a GET request, so that you can submit the form in the first place (hence why != 'POST' actually assumes GET).

Messages In This Thread

CSRF only on POST request, reason? - by silentium - 03-05-2015, 07:22 PM

RE: CSRF only on POST request, reason? - by Nichiren - 03-05-2015, 09:36 PM

RE: CSRF only on POST request, reason? - by Avenirer - 03-06-2015, 03:25 AM

RE: CSRF only on POST request, reason? - by james - 03-06-2015, 06:51 AM

RE: CSRF only on POST request, reason? - by mwhitney - 03-06-2015, 09:36 AM

RE: CSRF only on POST request, reason? - by silentium - 03-06-2015, 10:50 AM

RE: CSRF only on POST request, reason? - by mwhitney - 03-06-2015, 11:32 AM

RE: CSRF only on POST request, reason? - by CroNiX - 03-06-2015, 09:43 AM

RE: CSRF only on POST request, reason? - by Narf - 03-06-2015, 01:14 PM

RE: CSRF only on POST request, reason? - by silentium - 03-10-2015, 11:52 AM