How to disable CSRF temporaly for callback controllers ?

[eluser]Ricardo Martins[/eluser]
I have a controller method witch will receive periodical post`s from a third webservice.
So, I need to disable CSRF only on this method. How do I do that?

I tried to make a hook, butI should need to put it into pre_system but I also cant disable it because CI_Controller is not initialized at this point.
For now, I just put

Code:

if(strpos($_SERVER["REQUEST_URI"],'carrinho/retorno_checkout') !== FALSE)
refurn;

with a hammer into Security.php class (csrf_verify). =/

Thanks

[eluser]Ricardo Martins[/eluser]
Anyone please?

[eluser]CappY[/eluser]
I just done it by adding that to config.php:

Code:

if(stripos($_SERVER["REQUEST_URI"],'/controller') === FALSE)
{
    $config['csrf_protection'] = TRUE;
}
else
{
    $config['csrf_protection'] = FALSE;
}

I don't know how much it's reliable, but it works for me.
And it's done with NO core hacking.

[eluser]Ricardo Martins[/eluser]
Hi Cappy,
That's good. It's sad to think that CI doesn't have a way to do with it nativelly.

But I'm sure your way is very better than mine.

Thanks for helping me. =]

[eluser]InsiteFX[/eluser]

Code:

$this->config->set_item('csrf_protection', FALSE);
$this->config->set_item('csrf_protection', TRUE);

InsiteFX

[eluser]CappY[/eluser]
[quote author="InsiteFX" date="1299715566"]

Code:

$this->config->set_item('csrf_protection', FALSE);
$this->config->set_item('csrf_protection', TRUE);

InsiteFX[/quote]
That won't work. Input class is initiallized before Controller loading.

[eluser]InsiteFX[/eluser]
You could try this also: I tested it and it does change the variable in the Input Class.

Code:

$this->input->_enable_csrf = FALSE;
$this->input->_enable_csrf = TRUE;

If this will not work then the input Class would need to be extended!

InsiteFX

[eluser]oskarols[/eluser]
[quote author="InsiteFX" date="1299755786"]You could try this also: I tested it and it does change the variable in the Input Class.

Code:

$this->input->_enable_csrf = FALSE;
$this->input->_enable_csrf = TRUE;

If this will not work then the input Class would need to be extended!

InsiteFX[/quote]

That won't work either, since the CSRF-check is executed in the constructor of the Input class.

I went with doing a pre-system hook to solve this:

Code:

function disable_if_callback()
{    
    if(stripos($_SERVER["REQUEST_URI"],'/mypage') !== FALSE)
    {
        $CFG =& load_class('Config', 'core');
        $CFG->set_item('csrf_protection', FALSE);
    }
}

[eluser]Eric Cope[/eluser]
Is there a reason the csrf work wasn't done within the form_validation class?

[eluser]Ricardo Martins[/eluser]
Yes. Maybe because they wanted to make it more secure. If you forget to load the form_validation class your app wouldnt validate CSRF.

Thank you 'oskarols'. I've implemented the hook and it works perfectly and better.
I tried to make a hook, but didn't try with load_class() function.


Thanks a lot.