Welcome Guest, Not a member yet? Register   Sign In
Custom CSRF

[eluser]Ali Fattahi[/eluser]
Hello Dear Friends
i've a problem in CSRF .
I've enabled csrf_protection in my config file and it working good in my forms , but i have some url's ( Like Banks callback url ) wich that bank send me some information of an invoice or a payment in callback url and csrf protection does not allow to get information from that urls .
how can i solve this problem or make an exption for some urls ?

Best Regards

[eluser]Ali Fattahi[/eluser]
There isn't any idea for this problem ?

I had a similar issue. What I'm thinking of doing is something like this.

In my config I'm going to create an entry like this:
$config['csfr_exclusions'] = array('controller1'=>array('method1', 'method2')

Then I created a MY_Input class and put this code in the constructor:
$CFG =& load_class('Config');
        $SEC =& load_class('Security');
        $RTE =& load_class('Router');

        $this->security =& $SEC;
        $this->router    =& $RTE;
        $this->config    =& $CFG;

In MY_Input class _sanitize_globals() method I changed the call to csfr_verify to a method in MY_Input class
if ($this->_enable_csrf == TRUE)

Then I created this method in MY_Input class:
function csrf_verify() {
        $controller = $this->router->fetch_class();
        $method = $this->router->fetch_method();
        $csrf_exclusions = config_item('csfr_exclusions');
        if(array_key_exists($controller, $csrf_exclusions)) {
        $excluded = (in_array($method,$csrf_exclusions[$controller])) ? TRUE : FALSE;
        } else {
        $excluded = FALSE;
        if($excluded != TRUE) {

[eluser]Ali Fattahi[/eluser]
Thanks so much

[eluser]Ali Fattahi[/eluser]
i tried it and it working fine :>

Theme © iAndrew 2016 - Forum software by © MyBB