I did this on CI 2 before. You basically have to extend the Security library and provide a list of controllers for it not to check CSRF for. This means that you'll need to be extremely careful about all the methods available, yada, yada...
Code:
class MY_Security extends CI_Security
{
/**
* @var array Controllers to ignore during the CSRF cycle.
*
* If part of a module, the controller should be listed as:
* {module}/{controller}
*/
protected $ignored_controllers = array();
/**
* The constructor
*
* @return void
*/
public function __construct()
{
parent::__construct();
$this->ignored_controllers = config_item('csrf_ignored_controllers');
}
/**
* Show CSRF Error
*
* Override the csrf_show_error method to improve the error message
*
* @return void
*/
public function csrf_show_error()
{
show_error('The action you have requested is not allowed. You either do not have access, or your login session has expired and you need to sign in again.');
}
/**
* Verify Cross Site Request Forgery Protection
*
* Override the csrf_verify method to allow us to set controllers and
* modules to override.
*
* @return object Returns $this to allow method chaining
*/
public function csrf_verify()
{
if ( ! empty($this->ignored_controllers)) {
global $RTR;
$module = $RTR->fetch_module();
$controller = $RTR->fetch_class();
$path = empty($module) ? $controller : "{$module}/{$controller}";
if (in_array($path, $this->ignored_controllers)) {
return $this;
}
}
return parent::csrf_verify();
}
}
That's older code, too, that won't work on newer versions of PHP since it's using the $RTR global, so you'll need to rework that a bit but it should give you an idea to get you started with.