 New more Secure Auto Routing |
(02-20-2023, 04:49 PM)sneakyimp Wrote: As for CSRF filtering being implemented by filters, I am torn. I certainly make use of this filtering, but I'm not sure there is any problem that it only applies to POST operations? I wouldn't profess to be an expert, but I have difficulty seeing how a GET operation is at risk for CSRF? In my case, if I'm expecting an operation to be POST, I always enforce that in the controller method. On the other hand, if we should enforce CSRF for GET operations, shouldn't the CSRF functionality be improved to also include GET operations? First, all developers should not write code that performs any significant processing (like it requires CSRF protection) when the request method is GET. Because GET method is defined as a safe method. How many times you send the same GET request, the result should be the same. It does not change the application state. When GET request is safe, we do not need to protect CSRF. So the CSRF filter does not protect GET requests. Therefore, if you use auto routing legacy, you must check if the request method is POST (or PUT/DELETE) in the controller method. Because auto routing legacy can route to the controller method with a GET request automatically. |
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
