CSRF and double posting

Code:

$config['csrf_regenerate'] = TRUE;

Disable this setting, it adds nothing to security and will only make your life harder. Especially if you use a lot of AJAX or concurrent AJAX requests.

1. Disable this setting
No. I do not want double posting from the back button. If a user wants to add data then they need to request the form.

2. It adds nothing to security
There is debate about this even in the link you posted and, on further reading, you can do it per request, per session, per form, per url, per successful submission or per time-span. It has to change at some point otherwise it is useless. The most secure is per request, the least secure is per-session (if we discount a silly site wide, permanent global token of course). This is because of the potential for leaking the token in some other way. Something is better than nothing of course, and none of them are unbreakably secure.

3. It will only make your life harder
Yes it will. And it does. And it is a pain in the arse. It would be much better to say to a user, tell me who you are and I trust the world I will not bother with any security at all. Just tell me your email address and I will fetch all your data for you. It is interesting to read about but I am not a security professional by any stretch of the imagination, but there are numerous debates about this online that I have read and even now, with my very limited understanding, can see people writing stuff that is very confused or simply wrong.

4. Especially if you use a lot of AJAX or concurrent AJAX requests
Yes, I do use AJAX, but try to avoid concurrent AJAX requests. AJAX has caused me so many headaches from a security point of view and seems to open everything up to abuse. Having the token regenerated at every request gives me a lot of comfort. A standard piece of js that updates the token values and reads them for all ajax calls seems to fix all the issues too with a tiny js function that remains the same on every page.

The main reason people give for not regenerating the token per request is that it is difficult to implement or to upgrade an existing website/framework that does not currently do it. This is not an issue in my case. CI does it for me (Thank you CI) and it is a new site.

The original post was not about double posting in the traditional 'back button' way, but a very quick double click in chrome resubmitting a form twice almost instantaneously. Disabling the regeneration of the CSRF token would do nothing for that.

CSRF is not about double posting (although it can help with it in certain cases/setups). In my later posts I realised that I was expecting CSRF to deal with something it had nothing to do with. Hence my JS solution works fine for now, and whats more, I can adapt it to be included in my standard JS script to apply to every form, so problem understood and solved.

Thank you for your suggestion though about the

Header always append X-Frame-Options SAMEORIGIN

I think that is probably very good advice and worth doing.

Paul.