Welcome Guest, Not a member yet? Register   Sign In
Anyone else had a good look through the security lib in CI 2.0?
#1

[eluser]johnwbaxter[/eluser]
What's going on with the CSRF stuff then hmm? Non documented, it looks for a mysterious config item that seem to be missing from the config.php file or any other config files for that matter, and it doesn't quite make sense to me.

Is it incomplete or am i missing something?
#2

[eluser]nelson.wells[/eluser]
It looks like the Input class was refactored to work differently. Just by looking, the Input class has been taken out of the standard libraries and brought into the core of CI. Also, it doesn't have the xss cleaning code anymore, it just handles input, not security. There is a new class, Security, which now handles the xss cleaning code, as well as new code to help prevent csrf http://en.wikipedia.org/wiki/Cross-site_request_forgery.

I haven't looked in depth, but I think that is what is going on.
#3

[eluser]pickupman[/eluser]
It looks like the config key would be
Code:
$config['csrf_protection'] = TRUE;
#4

[eluser]pickupman[/eluser]
I was just messing around with this to see what could be made from the libraries. This appears to do what is intended once the config value has been added.
Code:
//Controller
$this->security->csrf_set_cookie(); //Set csrf cookie for a user

//View
echo form_open('controller/method','',array('ci_csrf_token'=>$_COOKIE['ci_csrf_token'])); //Add token as a hidden field in the form

All forms are processed through the Input class when submitted, and will check $_POST array and $_COOKIE array to make sure the token matches and not expired. Hopefully when this is done, will be slightly cleaner like checking the $config key and if set, automatically add the token to a form as a hidden field when using form_open().




Theme © iAndrew 2016 - Forum software by © MyBB