Login

Gary · 04-14-2020, 06:49 PM

I've also been fiddlig with the CSRF filter recently, and provided 'csrf' is uncommented in $globals, it will be inserted automatically in every form CI generates. For example, on my test server, <?php echo form_open();?> generates this:

Code:
<form action="https://pig.pen/" method="post" accept-charset="utf-8">

<input type="hidden" name="csrf_token_name" value="4e01754b75479ae926ed73ea2a6aa86b">

If one generates the form manually, it won't be inserted automatically (or if the form's action="..." references another site).

Although it comes down to personal preferences, I generally don't bother with settings in the .env for anything (primarily because all of these settings seem to be available elsewhere too, and I loose track of what's set where).

Provided your page is regenerated EVERY time there's a submission, the csrf values on all the forms will automatically be regenerated. I found the headache comes when the page isn't regenerated- and you need a new csrf value for each of the (many) possible ajax submissions links on the (same, unupdated) page. Setting $CSRFRegenerate = FALSE; makes this headache go away... though many believe that this compromises security enough to warrent going the extra 1 mile.

I've put a few other security mechanisms in place to mitigate the risk, and may come back to it later. I suspect one easy way (if there are many possible ajax submisions from a (static) page) would be to have all the PHP functions that accept ajax submissions return a new csrf token in their reply, which the ajax success routine would then store as a global, to use in the next submission it (or perhaps a differnt ajax submission routine) makes.