CSRF only on POST request, reason?

CSRF only on POST request, reason?

silentium
Full stack developer
Posts: 83
Threads: 3
Joined: Feb 2015
Reputation: 18

#10

03-10-2015, 11:52 AM

(03-06-2015, 01:14 PM)Narf Wrote: In all honesty, CI is just not built for creating RESTful APIs ...

CSRF tokens are verified only on POST requests, because that's what almost all web forms submit, $_POST is easy to access and within a browser, you typically need to issue a GET request, so that you can submit the form in the first place (hence why != 'POST' actually assumes GET).

Understandable. However, is it in the interest of CI to change/update this for the future. I'm not talking for CI3, but maybe CI4?

Messages In This Thread

CSRF only on POST request, reason? - by silentium - 03-05-2015, 07:22 PM

RE: CSRF only on POST request, reason? - by Nichiren - 03-05-2015, 09:36 PM

RE: CSRF only on POST request, reason? - by Avenirer - 03-06-2015, 03:25 AM

RE: CSRF only on POST request, reason? - by james - 03-06-2015, 06:51 AM

RE: CSRF only on POST request, reason? - by mwhitney - 03-06-2015, 09:36 AM

RE: CSRF only on POST request, reason? - by silentium - 03-06-2015, 10:50 AM

RE: CSRF only on POST request, reason? - by mwhitney - 03-06-2015, 11:32 AM

RE: CSRF only on POST request, reason? - by CroNiX - 03-06-2015, 09:43 AM

RE: CSRF only on POST request, reason? - by Narf - 03-06-2015, 01:14 PM

RE: CSRF only on POST request, reason? - by silentium - 03-10-2015, 11:52 AM